Merge pull request #1767 from pyhalov/git
git: fix CVE-2016-2315, CVE-2016-2324, fix tests run
2 files added
10 files renamed
File was renamed from components/git/Makefile |
| | |
| | | # |
| | | # Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved. |
| | | # |
| | | include ../../make-rules/shared-macros.mk |
| | | include ../../../make-rules/shared-macros.mk |
| | | |
| | | COMPONENT_NAME= git |
| | | COMPONENT_VERSION= 1.9.4 |
| | | COMPONENT_REVISION= 2 |
| | | COMPONENT_REVISION= 3 |
| | | COMPONENT_PROJECT_URL= http://git-scm.com/ |
| | | COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) |
| | | COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.xz |
| | |
| | | sha256:23935b38ce36fe47f01499cc2eadae2b180244b3ab706bec1fc0ae84ed32908e |
| | | COMPONENT_ARCHIVE_URL_1 = https://www.kernel.org/pub/software/scm/git/$(COMPONENT_ARCHIVE_1) |
| | | |
| | | include ../../make-rules/prep.mk |
| | | include ../../make-rules/configure.mk |
| | | include ../../make-rules/ips.mk |
| | | include $(WS_TOP)/make-rules/prep.mk |
| | | include $(WS_TOP)/make-rules/configure.mk |
| | | include $(WS_TOP)/make-rules/ips.mk |
| | | |
| | | CONFIGURE_PREFIX = /usr |
| | | CONFIGURE_OPTIONS += --without-openssl |
| | |
| | | # Therefore we need cloney to copy a set of files to build. |
| | | |
| | | COMPONENT_PRE_CONFIGURE_ACTION = \ |
| | | ($(CLONEY) $(SOURCE_DIR) $(@D)) |
| | | (chmod u+x $(COMPONENT_SRC)/t/*.sh && $(CLONEY) $(SOURCE_DIR) $(@D)) |
| | | |
| | | build: $(BUILD_32) |
| | | |
| | |
| | | |
| | | BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS) |
| | | |
| | | include ../../make-rules/depend.mk |
| | | include $(WS_TOP)/make-rules/depend.mk |
New file |
| | |
| | | From 34fa79a6cde56d6d428ab0d3160cb094ebad3305 Mon Sep 17 00:00:00 2001 |
| | | From: Jeff King <peff@peff.net> |
| | | Date: Thu, 24 Sep 2015 17:08:19 -0400 |
| | | Subject: [PATCH] prefer memcpy to strcpy |
| | | |
| | | When we already know the length of a string (e.g., because |
| | | we just malloc'd to fit it), it's nicer to use memcpy than |
| | | strcpy, as it makes it more obvious that we are not going to |
| | | overflow the buffer (because the size we pass matches the |
| | | size in the allocation). |
| | | |
| | | This also eliminates calls to strcpy, which make auditing |
| | | the code base harder. |
| | | |
| | | Signed-off-by: Jeff King <peff@peff.net> |
| | | Signed-off-by: Junio C Hamano <gitster@pobox.com> |
| | | --- |
| | | compat/nedmalloc/nedmalloc.c | 5 +++-- |
| | | fast-import.c | 5 +++-- |
| | | revision.c | 2 +- |
| | | 3 files changed, 7 insertions(+), 5 deletions(-) |
| | | |
| | | diff --git a/compat/nedmalloc/nedmalloc.c b/compat/nedmalloc/nedmalloc.c |
| | | index 609ebba..a0a16eb 100644 |
| | | --- a/compat/nedmalloc/nedmalloc.c |
| | | +++ b/compat/nedmalloc/nedmalloc.c |
| | | @@ -954,8 +954,9 @@ |
| | | { |
| | | char *s2 = 0; |
| | | if (s1) { |
| | | - s2 = malloc(strlen(s1) + 1); |
| | | - strcpy(s2, s1); |
| | | + size_t len = strlen(s1) + 1; |
| | | + s2 = malloc(len); |
| | | + memcpy(s2, s1, len); |
| | | } |
| | | return s2; |
| | | } |
| | | diff --git a/fast-import.c b/fast-import.c |
| | | index 895c6b4..cf6d8bc 100644 |
| | | --- a/fast-import.c |
| | | +++ b/fast-import.c |
| | | @@ -638,8 +638,9 @@ |
| | | |
| | | static char *pool_strdup(const char *s) |
| | | { |
| | | - char *r = pool_alloc(strlen(s) + 1); |
| | | - strcpy(r, s); |
| | | + size_t len = strlen(s) + 1; |
| | | + char *r = pool_alloc(len); |
| | | + memcpy(r, s, len); |
| | | return r; |
| | | } |
| | | |
| | | diff --git a/revision.c b/revision.c |
| | | index af2a18e..2236463 100644 |
| | | --- a/revision.c |
| | | +++ b/revision.c |
| | | @@ -29,7 +29,7 @@ |
| | | } |
| | | n = xmalloc(len); |
| | | m = n + len - (nlen + 1); |
| | | - strcpy(m, name); |
| | | + memcpy(m, name, nlen + 1); |
| | | for (p = path; p; p = p->up) { |
| | | if (p->elem_len) { |
| | | m -= p->elem_len + 1; |
| | | -- |
| | | 2.1.4 |
| | | |
New file |
| | |
| | | From: Takashi Iwai <tiwai@suse.com> |
| | | Date: Thu, 17 Mar 2016 07:51:23 +0100 |
| | | Subject: prevent buffer overflow in path_name() (CVE-2016-2324) |
| | | |
| | | Using int type for string sizes in path_name() allows a remotely |
| | | triggered buffer overflow if arithmetic wraps around. Use size_t instead |
| | | and bail out if resulting size exceeds INT_MAX. |
| | | --- |
| | | revision.c | 18 ++++++++++++++++-- |
| | | 1 file changed, 16 insertions(+), 2 deletions(-) |
| | | |
| | | --- a/revision.c |
| | | +++ b/revision.c |
| | | @@ -20,14 +20,20 @@ |
| | | { |
| | | const struct name_path *p; |
| | | char *n, *m; |
| | | - int nlen = strlen(name); |
| | | - int len = nlen + 1; |
| | | + size_t nlen = strlen(name); |
| | | + size_t len = nlen + 1; |
| | | |
| | | + if (len >= INT_MAX) |
| | | + goto error; |
| | | for (p = path; p; p = p->up) { |
| | | if (p->elem_len) |
| | | len += p->elem_len + 1; |
| | | + if (len >= INT_MAX) |
| | | + goto error; |
| | | } |
| | | n = xmalloc(len); |
| | | + if (!n) |
| | | + goto error; |
| | | m = n + len - (nlen + 1); |
| | | memcpy(m, name, nlen + 1); |
| | | for (p = path; p; p = p->up) { |
| | | @@ -38,6 +44,14 @@ |
| | | } |
| | | } |
| | | return n; |
| | | + |
| | | + error: |
| | | + /* FIXME: better to return an error, but the caller of this function |
| | | + * doesn't do any NULL-checks, so it's safer to exit forcibly |
| | | + */ |
| | | + exit(1); |
| | | + |
| | | + return NULL; |
| | | } |
| | | |
| | | static int show_path_component_truncated(FILE *out, const char *name, int len) |