1 files changed, 115 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p1.patch b/meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p1.patch
new file mode 100644
index 0000000000..d251a3d5ab
--- /dev/null
+++ b/meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p1.patch
@@ -0,0 +1,115 @@
+From c6bd2a1decc252d823104f9849c87ec8484b18ea Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 11 Feb 2016 17:23:48 -0500
+Subject: [PATCH] http-push: stop using name_path
+The graph traversal code here passes along a name_path to
+build up the pathname at which we find each blob. But we
+never actually do anything with the resulting names, making
+it a waste of code and memory.
+This usage came in aa1dbc9 (Update http-push functionality,
+2006-03-07), and originally the result was passed to
+"add_object" (which stored it, but didn't really use it,
+either). But we stopped using that function in 1f1e895 (Add
+"named object array" concept, 2006-06-19) in favor of
+storing just the objects themselves.
+Moreover, the generation of the name in process_tree() is
+buggy. It sticks "name" onto the end of the name_path linked
+list, and then passes it down again as it recurses (instead
+of "entry.path"). So it's a good thing this was unused, as
+the resulting path for "a/b/c/d" would end up as "a/a/a/a".
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Upstream-Status: Backport
+CVE: CVE-2016-2315 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ http-push.c | 23 +++++++----------------
+ 1 file changed, 7 insertions(+), 16 deletions(-)
+diff --git a/http-push.c b/http-push.c
+index c98dad2..8341909 100644
+--- a/http-push.c
+++ b/http-push.c
+@@ -1276,9 +1276,7 @@ static struct object_list **add_one_object(struct object *obj, struct object_lis
+ }
+ 
+ static struct object_list **process_blob(struct blob *blob,
+-                                        struct object_list **p,
+-                                        struct name_path *path,
+-                                        const char *name)
+                                        struct object_list **p)
+ {
+        struct object *obj = &blob->object;
+ 
+@@ -1292,14 +1290,11 @@ static struct object_list **process_blob(struct blob *blob,
+ }
+ 
+ static struct object_list **process_tree(struct tree *tree,
+-                                        struct object_list **p,
+-                                        struct name_path *path,
+-                                        const char *name)
+                                        struct object_list **p)
+ {
+        struct object *obj = &tree->object;
+        struct tree_desc desc;
+        struct name_entry entry;
+-       struct name_path me;
+ 
+        obj->flags |= LOCAL;
+ 
+@@ -1309,21 +1304,17 @@ static struct object_list **process_tree(struct tree *tree,
+                die("bad tree object %s", sha1_to_hex(obj->sha1));
+ 
+        obj->flags |= SEEN;
+-       name = xstrdup(name);
+        p = add_one_object(obj, p);
+-       me.up = path;
+-       me.elem = name;
+-       me.elem_len = strlen(name);
+ 
+        init_tree_desc(&desc, tree->buffer, tree->size);
+ 
+        while (tree_entry(&desc, &entry))
+                switch (object_type(entry.mode)) {
+                case OBJ_TREE:
+-                       p = process_tree(lookup_tree(entry.sha1), p, &me, name);
+                       p = process_tree(lookup_tree(entry.sha1), p);
+                        break;
+                case OBJ_BLOB:
+-                       p = process_blob(lookup_blob(entry.sha1), p, &me, name);
+                       p = process_blob(lookup_blob(entry.sha1), p);
+                        break;
+                default:
+                        /* Subproject commit - not in this repository */
+@@ -1342,7 +1333,7 @@ static int get_delta(struct rev_info *revs, struct remote_lock *lock)
+        int count = 0;
+ 
+        while ((commit = get_revision(revs)) != NULL) {
+-               p = process_tree(commit->tree, p, NULL, "");
+               p = process_tree(commit->tree, p);
+                commit->object.flags |= LOCAL;
+                if (!(commit->object.flags & UNINTERESTING))
+                        count += add_send_request(&commit->object, lock);
+@@ -1361,11 +1352,11 @@ static int get_delta(struct rev_info *revs, struct remote_lock *lock)
+                        continue;
+                }
+                if (obj->type == OBJ_TREE) {
+-                       p = process_tree((struct tree *)obj, p, NULL, name);
+                       p = process_tree((struct tree *)obj, p);
+                        continue;
+                }
+                if (obj->type == OBJ_BLOB) {
+-                       p = process_blob((struct blob *)obj, p, NULL, name);
+                       p = process_blob((struct blob *)obj, p);
+                        continue;
+                }
+                die("unknown pending object %s (%s)", sha1_to_hex(obj->sha1), name);
+-- 
+2.7.4

diff --git a/meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p1.patch b/meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p1.patch new file mode 100644 index 0000000000..d251a3d5ab --- /dev/null +++ b/meta/recipes-devtools/git/git-2.5.0/CVE-2016-2315_p1.patch
@@ -0,0 +1,115 @@
	1	From c6bd2a1decc252d823104f9849c87ec8484b18ea Mon Sep 17 00:00:00 2001
	2	From: Jeff King <peff@peff.net>
	3	Date: Thu, 11 Feb 2016 17:23:48 -0500
	4	Subject: [PATCH] http-push: stop using name_path
	5
	6	The graph traversal code here passes along a name_path to
	7	build up the pathname at which we find each blob. But we
	8	never actually do anything with the resulting names, making
	9	it a waste of code and memory.
	10
	11	This usage came in aa1dbc9 (Update http-push functionality,
	12	2006-03-07), and originally the result was passed to
	13	"add_object" (which stored it, but didn't really use it,
	14	either). But we stopped using that function in 1f1e895 (Add
	15	"named object array" concept, 2006-06-19) in favor of
	16	storing just the objects themselves.
	17
	18	Moreover, the generation of the name in process_tree() is
	19	buggy. It sticks "name" onto the end of the name_path linked
	20	list, and then passes it down again as it recurses (instead
	21	of "entry.path"). So it's a good thing this was unused, as
	22	the resulting path for "a/b/c/d" would end up as "a/a/a/a".
	23
	24	Signed-off-by: Jeff King <peff@peff.net>
	25	Signed-off-by: Junio C Hamano <gitster@pobox.com>
	26
	27	Upstream-Status: Backport
	28	CVE: CVE-2016-2315 patch1
	29	Signed-off-by: Armin Kuster <akuster@mvista.com>
	30
	31	---
	32	http-push.c \| 23 +++++++----------------
	33	1 file changed, 7 insertions(+), 16 deletions(-)
	34
	35	diff --git a/http-push.c b/http-push.c
	36	index c98dad2..8341909 100644
	37	--- a/http-push.c
	38	+++ b/http-push.c
	39	@@ -1276,9 +1276,7 @@ static struct object_list *add_one_object(struct object obj, struct object_lis
	40	}
	41
	42	static struct object_list *process_blob(struct blob blob,
	43	- struct object_list **p,
	44	- struct name_path *path,
	45	- const char *name)
	46	+ struct object_list **p)
	47	{
	48	struct object *obj = &blob->object;
	49
	50	@@ -1292,14 +1290,11 @@ static struct object_list *process_blob(struct blob blob,
	51	}
	52
	53	static struct object_list *process_tree(struct tree tree,
	54	- struct object_list **p,
	55	- struct name_path *path,
	56	- const char *name)
	57	+ struct object_list **p)
	58	{
	59	struct object *obj = &tree->object;
	60	struct tree_desc desc;
	61	struct name_entry entry;
	62	- struct name_path me;
	63
	64	obj->flags \|= LOCAL;
	65
	66	@@ -1309,21 +1304,17 @@ static struct object_list *process_tree(struct tree tree,
	67	die("bad tree object %s", sha1_to_hex(obj->sha1));
	68
	69	obj->flags \|= SEEN;
	70	- name = xstrdup(name);
	71	p = add_one_object(obj, p);
	72	- me.up = path;
	73	- me.elem = name;
	74	- me.elem_len = strlen(name);
	75
	76	init_tree_desc(&desc, tree->buffer, tree->size);
	77
	78	while (tree_entry(&desc, &entry))
	79	switch (object_type(entry.mode)) {
	80	case OBJ_TREE:
	81	- p = process_tree(lookup_tree(entry.sha1), p, &me, name);
	82	+ p = process_tree(lookup_tree(entry.sha1), p);
	83	break;
	84	case OBJ_BLOB:
	85	- p = process_blob(lookup_blob(entry.sha1), p, &me, name);
	86	+ p = process_blob(lookup_blob(entry.sha1), p);
	87	break;
	88	default:
	89	/* Subproject commit - not in this repository */
	90	@@ -1342,7 +1333,7 @@ static int get_delta(struct rev_info revs, struct remote_lock lock)
	91	int count = 0;
	92
	93	while ((commit = get_revision(revs)) != NULL) {
	94	- p = process_tree(commit->tree, p, NULL, "");
	95	+ p = process_tree(commit->tree, p);
	96	commit->object.flags \|= LOCAL;
	97	if (!(commit->object.flags & UNINTERESTING))
	98	count += add_send_request(&commit->object, lock);
	99	@@ -1361,11 +1352,11 @@ static int get_delta(struct rev_info revs, struct remote_lock lock)
	100	continue;
	101	}
	102	if (obj->type == OBJ_TREE) {
	103	- p = process_tree((struct tree *)obj, p, NULL, name);
	104	+ p = process_tree((struct tree *)obj, p);
	105	continue;
	106	}
	107	if (obj->type == OBJ_BLOB) {
	108	- p = process_blob((struct blob *)obj, p, NULL, name);
	109	+ p = process_blob((struct blob *)obj, p);
	110	continue;
	111	}
	112	die("unknown pending object %s (%s)", sha1_to_hex(obj->sha1), name);
	113	--
	114	2.7.4
	115