Fix CVE-2024-24575,CVE-2024-24577

2024-02-17 11:39:05 +08:00 · 2024-02-17 11:39:05 +08:00 · 07d9dc1602
commit 07d9dc1602
parent dfa3ca685f
3 changed files with 109 additions and 1 deletions
--- a/CVE-2024-24575.patch
+++ b/CVE-2024-24575.patch
@ -0,0 +1,50 @@
+From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Fri, 17 Nov 2023 16:54:47 +0000
+Subject: [PATCH] revparse: fix parsing bug for trailing `@`
+
+Origin: https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf
+
+When parsing a revspec that ends with a trailing `@`, explicitly stop
+parsing. Introduce a sentinel variable to explicitly stop parsing.
+
+Prior to this, we would set `spec` to `HEAD`, but were looping on the
+value of `spec[pos]`, so we would continue walking the (new) `spec`
+at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
+read.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+---
+ vendor/libgit2-sys/libgit2/src/libgit2/revparse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
+index 964afe378da..06d92f82bf2 100644
+--- a/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
+++ b/vendor/libgit2-sys/libgit2/src/libgit2/revparse.c
+@@ -701,6 +701,7 @@ static int revparse(
+ 	git_object *base_rev = NULL;
+ 
+ 	bool should_return_reference = true;
+	bool parsed = false;
+ 
+ 	GIT_ASSERT_ARG(object_out);
+ 	GIT_ASSERT_ARG(reference_out);
+@@ -710,7 +711,7 @@ static int revparse(
+ 	*object_out = NULL;
+ 	*reference_out = NULL;
+ 
+-	while (spec[pos]) {
+	while (!parsed && spec[pos]) {
+ 		switch (spec[pos]) {
+ 		case '^':
+ 			should_return_reference = false;
+@@ -817,6 +818,8 @@ static int revparse(
+ 				break;
+ 			} else if (spec[pos+1] == '\0') {
+ 				spec = "HEAD";
+				identifier_len = 4;
+				parsed = true;
+ 				break;
+ 			}
+ 			/* fall through */
--- a/CVE-2024-24577.patch
+++ b/CVE-2024-24577.patch
@ -0,0 +1,51 @@
+From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Sat, 16 Dec 2023 11:19:07 +0000
+Subject: [PATCH] index: correct index has_dir_name check
+
+Origin: https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
+
+`has_dir_name` is used to check for directory/file collisions,
+and attempts to determine whether the index contains a file with
+a directory name that is a proper subset of the new index entry
+that we're trying to add.
+
+To determine directory name, the function would walk the path string
+backwards to identify a `/`, stopping at the end of the string. However,
+the function assumed that the strings did not start with a `/`. If the
+paths contain only a single `/` at the beginning of the string, then the
+function would continue the loop, erroneously, when they should have
+stopped at the first character.
+
+Correct the order of the tests to terminate properly.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+
+---
+ vendor/libgit2-sys/libgit2/src/libgit2/index.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/libgit2-sys/libgit2/src/libgit2/index.c b/vendor/libgit2-sys/libgit2/src/libgit2/index.c
+index 7ebe075..7862273 100644
+--- a/vendor/libgit2-sys/libgit2/src/libgit2/index.c
+++ b/vendor/libgit2-sys/libgit2/src/libgit2/index.c
+@@ -1155,10 +1155,14 @@ static int has_dir_name(git_index *index,
+ 		size_t len, pos;
+ 
+ 		for (;;) {
+-			if (*--slash == '/')
+-				break;
+			slash--;
+
+ 			if (slash <= entry->path)
+ 				return 0;
+
+
+			if (*slash == '/')
+				break;
+ 		}
+ 		len = slash - name;
+ 
+-- 
+2.23.0
+
--- a/rust.spec
+++ b/rust.spec
@ -11,7 +11,7 @@

 Name:                rust
 Version:             1.75.0
-Release:             1
+Release:             2
 Summary:             The Rust Programming Language
 License:             Apache-2.0 OR MIT
 URL:                 https://www.rust-lang.org
@ -32,6 +32,8 @@ Patch0003:           0001-Use-lld-provided-by-system.patch
 Patch0004:           rustc-1.70.0-rust-gdb-substitute-path.patch
 # https://github.com/rust-lang/rust/pull/117982
 Patch0005:           0001-bootstrap-only-show-PGO-warnings-when-verbose.patch
+Patch0006:           CVE-2024-24575.patch
+Patch0007:           CVE-2024-24577.patch

 %{lua: function rust_triple(arch)
  local abi = "gnu"
@ -258,6 +260,8 @@ sed -i.try-python -e '/^try python3 /i try "%{python}" "$@"' ./configure
 %patch -P 0003 -p1
 %patch -P 0004 -p1
 %patch -P 0005 -p1
+%patch -P 0006 -p1
+%patch -P 0007 -p1
 rm -rf vendor/curl-sys*/curl/
 rm -rf vendor/jemalloc-sys/jemalloc/
 rm -rf vendor/libffi-sys*/libffi/
@ -488,6 +492,9 @@ export %{rust_env}
 %{_mandir}/man1/cargo*.1*

 %changelog
+* Sat Feb 17 2024 wangkai <13474090681@163.com> - 1.75.0-2
+- Fix CVE-2024-24575,CVE-2024-24577
+
 * Wed Jan 10 2024 wangkai <13474090681@163.com> - 1.75.0-1
 - Update to 1.75.0