Accepting request 1188574 from devel:tools:scm

OBS-URL: https://build.opensuse.org/request/show/1188574 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=313
2024-07-22 15:14:26 +00:00 · 2024-07-22 15:14:26 +00:00 · 9122a6d039
commit 9122a6d039
parent 46e321a751 5792d0456b
3 changed files with 29 additions and 0 deletions
--- a/CVE-2024-24577.patch
+++ b/CVE-2024-24577.patch
@ -0,0 +1,20 @@
+Index: b/read-cache.c
+===================================================================
+--- a/read-cache.c
+++ b/read-cache.c
+@@ -1158,10 +1158,13 @@ static int has_dir_name(struct index_sta
+ 		size_t len;
+ 
+ 		for (;;) {
+-			if (*--slash == '/')
+-				break;
+			slash--;
+
+ 			if (slash <= ce->name)
+ 				return retval;
+
+			if (*slash == '/')
+				break;
+ 		}
+ 		len = slash - name;
+ 
--- a/git.changes
+++ b/git.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jul 18 17:38:04 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
+
+- Add CVE-2024-24577.patch
+  * CVE-2024-24577: arbitrary code execution due to heap corruption
+    in git_index_add (boo#1219660)
+
 -------------------------------------------------------------------
 Fri May 31 22:57:33 UTC 2024 - Matej Cepl <mcepl@cepl.eu>

--- a/git.spec
+++ b/git.spec
@ -68,6 +68,8 @@ Patch4:         git-prevent_xss-default.diff
 Patch6:         git-tcsh-completion-fixes.diff
 Patch8:         git-asciidoc.patch
 Patch10:        setup-don-t-fail-if-commondir-reference-is-deleted.patch
+# PATCH-FIX-OPENSUSE CVE-2024-24577.patch boo#1219660 antonio.teixeira@suse.com
+Patch11:        CVE-2024-24577.patch
 BuildRequires:  fdupes
 BuildRequires:  gpg2
 BuildRequires:  libcurl-devel