[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

etch: git-core 1:1.4.4.4-2 through t-p-u



Hi, I suggest to fix bug #413629 in etch with version 1:1.4.4.4-2.  sid
already has git-core 1:1.5.0.x, so it needs to go through t-p-u.  etch
currently has 1:1.4.4.4-1, debdiff is attached, is uploading ok with
you?

Thanks, Gerrit.
diff -u git-core-1.4.4.4/debian/changelog git-core-1.4.4.4/debian/changelog
--- git-core-1.4.4.4/debian/changelog
+++ git-core-1.4.4.4/debian/changelog
@@ -1,3 +1,12 @@
+git-core (1:1.4.4.4-2) testing-proposed-updates; urgency=high
+
+  * debian/diff/0001-http-push.c-lock_remote-validate-all-remote-refs.diff,
+    debian/diff/0002-Another-memory-overrun-in-http-push.c.diff: new,
+    cherry-pick'ed from upstream maint branch: fix memory overruns in
+    http-push.c (closes: #413629).
+
+ -- Gerrit Pape <pape@smarden.org>  Wed,  7 Mar 2007 17:14:04 +0000
+
 git-core (1:1.4.4.4-1) unstable; urgency=low
 
   * new upstream release, important fixes:
only in patch2:
unchanged:
--- git-core-1.4.4.4.orig/debian/diff/0002-Another-memory-overrun-in-http-push.c.diff
+++ git-core-1.4.4.4/debian/diff/0002-Another-memory-overrun-in-http-push.c.diff
@@ -0,0 +1,49 @@
+From 9a580d9d5d9e148f1cd78807c5b0476ec2431cfd Mon Sep 17 00:00:00 2001
+From: Eygene Ryabinkin <rea-git@codelabs.ru>
+Date: Thu, 1 Mar 2007 19:09:12 +0300
+Subject: [PATCH] Another memory overrun in http-push.c
+
+Use of strlcpy() are wrong, as the source buffer at these
+locations may not be NUL-terminated.
+---
+ http-push.c |   10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/http-push.c b/http-push.c
+index 60d2844..3f58ec4 100644
+--- a/http-push.c
++++ b/http-push.c
+@@ -1268,7 +1268,9 @@ xml_cdata(void *userData, const XML_Char *s, int len)
+ 	struct xml_ctx *ctx = (struct xml_ctx *)userData;
+ 	free(ctx->cdata);
+ 	ctx->cdata = xmalloc(len + 1);
+-	strlcpy(ctx->cdata, s, len + 1);
++	/* NB: 's' is not null-terminated, can not use strlcpy here */
++	memcpy(ctx->cdata, s, len);
++	ctx->cdata[len] = '\0';
+ }
+ 
+ static struct remote_lock *lock_remote(const char *path, long timeout)
+@@ -1470,7 +1472,8 @@ static void process_ls_object(struct remote_ls_ctx *ls)
+ 		return;
+ 	path += 8;
+ 	obj_hex = xmalloc(strlen(path));
+-	strlcpy(obj_hex, path, 3);
++	/* NB: path is not null-terminated, can not use strlcpy here */
++	memcpy(obj_hex, path, 2);
+ 	strcpy(obj_hex + 2, path + 3);
+ 	one_remote_object(obj_hex);
+ 	free(obj_hex);
+@@ -2167,7 +2170,8 @@ static void fetch_symref(const char *path, char **symref, unsigned char *sha1)
+ 	/* If it's a symref, set the refname; otherwise try for a sha1 */
+ 	if (!strncmp((char *)buffer.buffer, "ref: ", 5)) {
+ 		*symref = xmalloc(buffer.posn - 5);
+-		strlcpy(*symref, (char *)buffer.buffer + 5, buffer.posn - 5);
++		memcpy(*symref, (char *)buffer.buffer + 5, buffer.posn - 6);
++		(*symref)[buffer.posn - 6] = '\0';
+ 	} else {
+ 		get_sha1_hex(buffer.buffer, sha1);
+ 	}
+-- 
+1.5.0.3
+
only in patch2:
unchanged:
--- git-core-1.4.4.4.orig/debian/diff/0001-http-push.c-lock_remote-validate-all-remote-refs.diff
+++ git-core-1.4.4.4/debian/diff/0001-http-push.c-lock_remote-validate-all-remote-refs.diff
@@ -0,0 +1,30 @@
+From f727f23b35496ce0dc51f82249c57c29e9b63602 Mon Sep 17 00:00:00 2001
+From: Eygene Ryabinkin <rea-git@codelabs.ru>
+Date: Wed, 28 Feb 2007 12:12:02 -0800
+Subject: [PATCH] http-push.c::lock_remote(): validate all remote refs.
+
+Starting from offset 11 might have been good back when it was
+only used for updating "refs/heads/*", but it is used to update
+"info/refs" and "refs/tags/*" as well.
+
+Signed-off-by: Junio C Hamano <junkio@cox.net>
+---
+ http-push.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/http-push.c b/http-push.c
+index ecefdfd..60d2844 100644
+--- a/http-push.c
++++ b/http-push.c
+@@ -1292,7 +1292,7 @@ static struct remote_lock *lock_remote(const char *path, long timeout)
+ 	sprintf(url, "%s%s", remote->url, path);
+ 
+ 	/* Make sure leading directories exist for the remote ref */
+-	ep = strchr(url + strlen(remote->url) + 11, '/');
++	ep = strchr(url + strlen(remote->url) + 1, '/');
+ 	while (ep) {
+ 		*ep = 0;
+ 		slot = get_active_slot();
+-- 
+1.5.0.3
+

Reply to: