Merge pull request #1767 from pyhalov/git

Alexander Pyhalov

2016-03-20 fef086e690a27ca589230fc882d0da7b689ab4cc

Merge pull request #1767 from pyhalov/git

git: fix CVE-2016-2315, CVE-2016-2324, fix tests run

 components/developer/git/Makefile

File was renamed from components/git/Makefile
@@ -20,11 +20,11 @@
#
# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved.
#
include ../../make-rules/shared-macros.mk
include ../../../make-rules/shared-macros.mk

COMPONENT_NAME=        git
COMPONENT_VERSION=    1.9.4
COMPONENT_REVISION=    2
COMPONENT_REVISION=    3
COMPONENT_PROJECT_URL=    http://git-scm.com/
COMPONENT_SRC=        $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE=    $(COMPONENT_SRC).tar.xz
@@ -41,9 +41,9 @@
    sha256:23935b38ce36fe47f01499cc2eadae2b180244b3ab706bec1fc0ae84ed32908e
COMPONENT_ARCHIVE_URL_1 = https://www.kernel.org/pub/software/scm/git/$(COMPONENT_ARCHIVE_1)

include ../../make-rules/prep.mk
include ../../make-rules/configure.mk
include ../../make-rules/ips.mk
include $(WS_TOP)/make-rules/prep.mk
include $(WS_TOP)/make-rules/configure.mk
include $(WS_TOP)/make-rules/ips.mk

CONFIGURE_PREFIX    =    /usr
CONFIGURE_OPTIONS  +=    --without-openssl
@@ -64,7 +64,7 @@
# Therefore we need cloney to copy a set of files to build.

COMPONENT_PRE_CONFIGURE_ACTION = \
    ($(CLONEY) $(SOURCE_DIR) $(@D))
    (chmod u+x $(COMPONENT_SRC)/t/*.sh  && $(CLONEY) $(SOURCE_DIR) $(@D))

build:        $(BUILD_32)

@@ -100,4 +100,4 @@

BUILD_PKG_DEPENDENCIES =    $(BUILD_TOOLS)

include ../../make-rules/depend.mk
include $(WS_TOP)/make-rules/depend.mk

 components/developer/git/git.license

 components/developer/git/git.p5m

 components/developer/git/patches/0001-perl_Makefile.patch

 components/developer/git/patches/0009-Use-getpassphrase-instead-of-getpass-when-prompting-.patch

 components/developer/git/patches/0011-CVE-2015-7545-1.patch

 components/developer/git/patches/0012-CVE-2015-7545-2.patch

 components/developer/git/patches/0013-CVE-2015-7545-3.patch

 components/developer/git/patches/0014-CVE-2015-7545-4.patch

 components/developer/git/patches/0015-CVE-2016-2315.patch

New file
@@ -0,0 +1,70 @@
From 34fa79a6cde56d6d428ab0d3160cb094ebad3305 Mon Sep 17 00:00:00 2001
From: Jeff King <peff@peff.net>
Date: Thu, 24 Sep 2015 17:08:19 -0400
Subject: [PATCH] prefer memcpy to strcpy

When we already know the length of a string (e.g., because
we just malloc'd to fit it), it's nicer to use memcpy than
strcpy, as it makes it more obvious that we are not going to
overflow the buffer (because the size we pass matches the
size in the allocation).

This also eliminates calls to strcpy, which make auditing
the code base harder.

Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
---
 compat/nedmalloc/nedmalloc.c | 5 +++--
 fast-import.c                | 5 +++--
 revision.c                   | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/compat/nedmalloc/nedmalloc.c b/compat/nedmalloc/nedmalloc.c
index 609ebba..a0a16eb 100644
--- a/compat/nedmalloc/nedmalloc.c
+++ b/compat/nedmalloc/nedmalloc.c
@@ -954,8 +954,9 @@
 {
     char *s2 = 0;
     if (s1) {
-        s2 = malloc(strlen(s1) + 1);
-        strcpy(s2, s1);
+        size_t len = strlen(s1) + 1;
+        s2 = malloc(len);
+        memcpy(s2, s1, len);
     }
     return s2;
 }
diff --git a/fast-import.c b/fast-import.c
index 895c6b4..cf6d8bc 100644
--- a/fast-import.c
+++ b/fast-import.c
@@ -638,8 +638,9 @@
 
 static char *pool_strdup(const char *s)
 {
-    char *r = pool_alloc(strlen(s) + 1);
-    strcpy(r, s);
+    size_t len = strlen(s) + 1;
+    char *r = pool_alloc(len);
+    memcpy(r, s, len);
     return r;
 }
 
diff --git a/revision.c b/revision.c
index af2a18e..2236463 100644
--- a/revision.c
+++ b/revision.c
@@ -29,7 +29,7 @@
     }
     n = xmalloc(len);
     m = n + len - (nlen + 1);
-    strcpy(m, name);
+    memcpy(m, name, nlen + 1);
     for (p = path; p; p = p->up) {
         if (p->elem_len) {
             m -= p->elem_len + 1;
-- 
2.1.4


 components/developer/git/patches/0016-CVE-2016-2324.patch

New file
@@ -0,0 +1,51 @@
From: Takashi Iwai <tiwai@suse.com>
Date: Thu, 17 Mar 2016 07:51:23 +0100
Subject: prevent buffer overflow in path_name() (CVE-2016-2324)

Using int type for string sizes in path_name() allows a remotely
triggered buffer overflow if arithmetic wraps around. Use size_t instead
and bail out if resulting size exceeds INT_MAX.
---
 revision.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

--- a/revision.c
+++ b/revision.c
@@ -20,14 +20,20 @@
 {
     const struct name_path *p;
     char *n, *m;
-    int nlen = strlen(name);
-    int len = nlen + 1;
+    size_t nlen = strlen(name);
+    size_t len = nlen + 1;
 
+    if (len >= INT_MAX)
+        goto error;
     for (p = path; p; p = p->up) {
         if (p->elem_len)
             len += p->elem_len + 1;
+        if (len >= INT_MAX)
+            goto error;
     }
     n = xmalloc(len);
+    if (!n)
+        goto error;
     m = n + len - (nlen + 1);
     memcpy(m, name, nlen + 1);
     for (p = path; p; p = p->up) {
@@ -38,6 +44,14 @@
         }
     }
     return n;
+
+ error:
+    /* FIXME: better to return an error, but the caller of this function
+     * doesn't do any NULL-checks, so it's safer to exit forcibly
+     */
+    exit(1);
+
+    return NULL;
 }
 
 static int show_path_component_truncated(FILE *out, const char *name, int len)

 components/developer/git/resolve.deps