packages/rust
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-24575,CVE-2024-24577

Browse Source
This commit is contained in:
wk333 2024-02-17 11:39:05 +08:00
parent dfa3ca685f
commit 07d9dc1602
3 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
CVE-2024-24575.patch Normal file
View File

@ -0,0 +1,50 @@
From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Fri, 17 Nov 2023 16:54:47 +0000
Subject: [PATCH] revparse: fix parsing bug for trailing `@`
Origin: https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf
When parsing a revspec that ends with a trailing `@`, explicitly stop
parsing. Introduce a sentinel variable to explicitly stop parsing.
Prior to this, we would set `spec` to `HEAD`, but were looping on the
value of `spec[pos]`, so we would continue walking the (new) `spec`
at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
read.
Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
---
vendor/libgit2-sys/libgit2/src/libgit2/revparse.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
index 964afe378da..06d92f82bf2 100644
--- a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
+++ b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
@@ -701,6 +701,7 @@ static int revparse(
git_object *base_rev = NULL;
bool should_return_reference = true;
+ bool parsed = false;
GIT_ASSERT_ARG(object_out);
GIT_ASSERT_ARG(reference_out);
@@ -710,7 +711,7 @@ static int revparse(
*object_out = NULL;
*reference_out = NULL;
- while (spec[pos]) {
+ while (!parsed && spec[pos]) {
switch (spec[pos]) {
case '^':
should_return_reference = false;
@@ -817,6 +818,8 @@ static int revparse(
break;
} else if (spec[pos+1] == '\0') {
spec = "HEAD";
+ identifier_len = 4;
+ parsed = true;
break;
}
/* fall through */

51
CVE-2024-24577.patch Normal file
View File

@ -0,0 +1,51 @@
From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Sat, 16 Dec 2023 11:19:07 +0000
Subject: [PATCH] index: correct index has_dir_name check
Origin: https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
`has_dir_name` is used to check for directory/file collisions,
and attempts to determine whether the index contains a file with
a directory name that is a proper subset of the new index entry
that we're trying to add.
To determine directory name, the function would walk the path string
backwards to identify a `/`, stopping at the end of the string. However,
the function assumed that the strings did not start with a `/`. If the
paths contain only a single `/` at the beginning of the string, then the
function would continue the loop, erroneously, when they should have
stopped at the first character.
Correct the order of the tests to terminate properly.
Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
---
vendor/libgit2-sys/libgit2/src/libgit2/index.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/vendor/libgit2-sys/libgit2/src/libgit2/index.c b/vendor/libgit2-sys/libgit2/src/libgit2/index.c
index 7ebe075..7862273 100644
--- a/vendor/libgit2-sys/libgit2/src/libgit2/index.c
+++ b/vendor/libgit2-sys/libgit2/src/libgit2/index.c
@@ -1155,10 +1155,14 @@ static int has_dir_name(git_index *index,
size_t len, pos;
for (;;) {
- if (*--slash == '/')
- break;
+ slash--;
+
if (slash <= entry->path)
return 0;
+
+
+ if (*slash == '/')
+ break;
}
len = slash - name;
--
2.23.0

9
rust.spec
View File

@ -11,7 +11,7 @@
Name: rust Name: rust
Version: 1.75.0 Version: 1.75.0
Release: 1 Release: 2
Summary: The Rust Programming Language Summary: The Rust Programming Language
License: Apache-2.0 OR MIT License: Apache-2.0 OR MIT
URL: https://www.rust-lang.org URL: https://www.rust-lang.org
@ -32,6 +32,8 @@ Patch0003: 0001-Use-lld-provided-by-system.patch
Patch0004: rustc-1.70.0-rust-gdb-substitute-path.patch Patch0004: rustc-1.70.0-rust-gdb-substitute-path.patch
# https://github.com/rust-lang/rust/pull/117982 # https://github.com/rust-lang/rust/pull/117982
Patch0005: 0001-bootstrap-only-show-PGO-warnings-when-verbose.patch Patch0005: 0001-bootstrap-only-show-PGO-warnings-when-verbose.patch
Patch0006: CVE-2024-24575.patch
Patch0007: CVE-2024-24577.patch
%{lua: function rust_triple(arch) %{lua: function rust_triple(arch)
local abi = "gnu" local abi = "gnu"
@ -258,6 +260,8 @@ sed -i.try-python -e '/^try python3 /i try "%{python}" "$@"' ./configure
%patch -P 0003 -p1 %patch -P 0003 -p1
%patch -P 0004 -p1 %patch -P 0004 -p1
%patch -P 0005 -p1 %patch -P 0005 -p1
%patch -P 0006 -p1
%patch -P 0007 -p1
rm -rf vendor/curl-sys*/curl/ rm -rf vendor/curl-sys*/curl/
rm -rf vendor/jemalloc-sys/jemalloc/ rm -rf vendor/jemalloc-sys/jemalloc/
rm -rf vendor/libffi-sys*/libffi/ rm -rf vendor/libffi-sys*/libffi/
@ -488,6 +492,9 @@ export %{rust_env}
%{_mandir}/man1/cargo*.1* %{_mandir}/man1/cargo*.1*
%changelog %changelog
* Sat Feb 17 2024 wangkai <13474090681@163.com> - 1.75.0-2
- Fix CVE-2024-24575,CVE-2024-24577
* Wed Jan 10 2024 wangkai <13474090681@163.com> - 1.75.0-1 * Wed Jan 10 2024 wangkai <13474090681@163.com> - 1.75.0-1
- Update to 1.75.0 - Update to 1.75.0