3 files changed, 112 insertions, 1 deletions
diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch
new file mode 100644
index 0000000000..d3957ac5d0
--- /dev/null
+++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch
@@ -0,0 +1,56 @@
+From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Fri, 17 Nov 2023 16:54:47 +0000
+Subject: [PATCH] revparse: fix parsing bug for trailing `@`
+When parsing a revspec that ends with a trailing `@`, explicitly stop
+parsing. Introduce a sentinel variable to explicitly stop parsing.
+Prior to this, we would set `spec` to `HEAD`, but were looping on the
+value of `spec[pos]`, so we would continue walking the (new) `spec`
+at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
+read.
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+CVE: CVE-2024-24575
+Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/revparse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/src/revparse.c b/src/revparse.c
+index 9bc28e9fc..d3bbe840b 100644
+--- a/src/revparse.c
+++ b/src/revparse.c
+@@ -685,6 +685,7 @@ static int revparse(
+        git_object *base_rev = NULL;
+        bool should_return_reference = true;
+       bool parsed = false;
+        GIT_ASSERT_ARG(object_out);
+        GIT_ASSERT_ARG(reference_out);
+@@ -694,7 +695,7 @@ static int revparse(
+        *object_out = NULL;
+        *reference_out = NULL;
+-       while (spec[pos]) {
+       while (!parsed && spec[pos]) {
+                switch (spec[pos]) {
+                case '^':
+                        should_return_reference = false;
+@@ -801,6 +802,8 @@ static int revparse(
+                                break;
+                        } else if (spec[pos+1] == '\0') {
+                                spec = "HEAD";
+                               identifier_len = 4;
+                               parsed = true;
+                                break;
+                        }
+                        /* fall through */
+--
+2.40.0
diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch
new file mode 100644
index 0000000000..3469f9d099
--- /dev/null
+++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch
@@ -0,0 +1,52 @@
+From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Sat, 16 Dec 2023 11:19:07 +0000
+Subject: [PATCH] index: correct index has_dir_name check
+`has_dir_name` is used to check for directory/file collisions,
+and attempts to determine whether the index contains a file with
+a directory name that is a proper subset of the new index entry
+that we're trying to add.
+To determine directory name, the function would walk the path string
+backwards to identify a `/`, stopping at the end of the string. However,
+the function assumed that the strings did not start with a `/`. If the
+paths contain only a single `/` at the beginning of the string, then the
+function would continue the loop, erroneously, when they should have
+stopped at the first character.
+Correct the order of the tests to terminate properly.
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+CVE: CVE-2024-24577
+Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/index.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/src/index.c b/src/index.c
+index aa97c6421..e8ff82e1a 100644
+--- a/src/index.c
+++ b/src/index.c
+@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index,
+                size_t len, pos;
+                for (;;) {
+-                       if (*--slash == '/')
+-                               break;
+                       slash--;
+
+                        if (slash <= entry->path)
+                                return 0;
+
+                       if (*slash == '/')
+                               break;
+                }
+                len = slash - name;
+--
+2.40.0
diff --git a/meta/recipes-support/libgit2/libgit2_1.4.5.bb b/meta/recipes-support/libgit2/libgit2_1.4.5.bb
index aadfe4ad02..ad8b9a536a 100644
--- a/meta/recipes-support/libgit2/libgit2_1.4.5.bb
+++ b/meta/recipes-support/libgit2/libgit2_1.4.5.bb
@@ -5,7 +5,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e5a9227de4cb6afb5d35ed7b0fdf480d"
 DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2"
-SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https"
+SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https \
+           file://CVE-2024-24575.patch \
+           file://CVE-2024-24577.patch \
+           "
 SRCREV = "cd6f679af401eda1f172402006ef8265f8bd58ea"
 S = "${WORKDIR}/git"

diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch new file mode 100644 index 0000000000..d3957ac5d0 --- /dev/null +++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch
@@ -0,0 +1,56 @@
		1	From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001
		2	From: Edward Thomson <ethomson@edwardthomson.com>
		3	Date: Fri, 17 Nov 2023 16:54:47 +0000
		4	Subject: [PATCH] revparse: fix parsing bug for trailing `@`
		5
		6	When parsing a revspec that ends with a trailing `@`, explicitly stop
		7	parsing. Introduce a sentinel variable to explicitly stop parsing.
		8
		9	Prior to this, we would set `spec` to `HEAD`, but were looping on the
		10	value of `spec[pos]`, so we would continue walking the (new) `spec`
		11	at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
		12	read.
		13
		14	Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
		15
		16	CVE: CVE-2024-24575
		17
		18	Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf]
		19
		20	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		21	---
		22	src/revparse.c \| 5 ++++-
		23	1 file changed, 4 insertions(+), 1 deletion(-)
		24
		25	diff --git a/src/revparse.c b/src/revparse.c
		26	index 9bc28e9fc..d3bbe840b 100644
		27	--- a/src/revparse.c
		28	+++ b/src/revparse.c
		29	@@ -685,6 +685,7 @@ static int revparse(
		30	git_object *base_rev = NULL;
		31
		32	bool should_return_reference = true;
		33	+ bool parsed = false;
		34
		35	GIT_ASSERT_ARG(object_out);
		36	GIT_ASSERT_ARG(reference_out);
		37	@@ -694,7 +695,7 @@ static int revparse(
		38	*object_out = NULL;
		39	*reference_out = NULL;
		40
		41	- while (spec[pos]) {
		42	+ while (!parsed && spec[pos]) {
		43	switch (spec[pos]) {
		44	case '^':
		45	should_return_reference = false;
		46	@@ -801,6 +802,8 @@ static int revparse(
		47	break;
		48	} else if (spec[pos+1] == '\0') {
		49	spec = "HEAD";
		50	+ identifier_len = 4;
		51	+ parsed = true;
		52	break;
		53	}
		54	/* fall through */
		55	--
		56	2.40.0


diff --git a/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch new file mode 100644 index 0000000000..3469f9d099 --- /dev/null +++ b/meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch
@@ -0,0 +1,52 @@
		1	From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
		2	From: Edward Thomson <ethomson@edwardthomson.com>
		3	Date: Sat, 16 Dec 2023 11:19:07 +0000
		4	Subject: [PATCH] index: correct index has_dir_name check
		5
		6	`has_dir_name` is used to check for directory/file collisions,
		7	and attempts to determine whether the index contains a file with
		8	a directory name that is a proper subset of the new index entry
		9	that we're trying to add.
		10
		11	To determine directory name, the function would walk the path string
		12	backwards to identify a `/`, stopping at the end of the string. However,
		13	the function assumed that the strings did not start with a `/`. If the
		14	paths contain only a single `/` at the beginning of the string, then the
		15	function would continue the loop, erroneously, when they should have
		16	stopped at the first character.
		17
		18	Correct the order of the tests to terminate properly.
		19
		20	Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
		21
		22	CVE: CVE-2024-24577
		23
		24	Upstream-Status: Backport [https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3]
		25
		26	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		27	---
		28	src/index.c \| 7 +++++--
		29	1 file changed, 5 insertions(+), 2 deletions(-)
		30
		31	diff --git a/src/index.c b/src/index.c
		32	index aa97c6421..e8ff82e1a 100644
		33	--- a/src/index.c
		34	+++ b/src/index.c
		35	@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index,
		36	size_t len, pos;
		37
		38	for (;;) {
		39	- if (*--slash == '/')
		40	- break;
		41	+ slash--;
		42	+
		43	if (slash <= entry->path)
		44	return 0;
		45	+
		46	+ if (*slash == '/')
		47	+ break;
		48	}
		49	len = slash - name;
		50
		51	--
		52	2.40.0


diff --git a/meta/recipes-support/libgit2/libgit2_1.4.5.bb b/meta/recipes-support/libgit2/libgit2_1.4.5.bb index aadfe4ad02..ad8b9a536a 100644 --- a/meta/recipes-support/libgit2/libgit2_1.4.5.bb +++ b/meta/recipes-support/libgit2/libgit2_1.4.5.bb
@@ -5,7 +5,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e5a9227de4cb6afb5d35ed7b0fdf480d"
5		5
6	DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2"	6	DEPENDS = "curl openssl zlib libssh2 libgcrypt libpcre2"
7		7
8	SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https"	8	SRC_URI = "git://github.com/libgit2/libgit2.git;branch=maint/v1.4;protocol=https \
		9	file://CVE-2024-24575.patch \
		10	file://CVE-2024-24577.patch \
		11	"
9	SRCREV = "cd6f679af401eda1f172402006ef8265f8bd58ea"	12	SRCREV = "cd6f679af401eda1f172402006ef8265f8bd58ea"
10		13
11	S = "${WORKDIR}/git"	14	S = "${WORKDIR}/git"