From b6e0305bd51752f4c3e70625bcfd00684611d862 Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Wed, 3 Jul 2024 15:09:22 +0800
Subject: [PATCH 1/2] fix cve-2024-32004

---
 fix-cve-2024-32004.patch | 155 +++++++++++++++++++++++++++++++++++++++
 git.spec                 |   9 ++-
 2 files changed, 163 insertions(+), 1 deletion(-)
 create mode 100644 fix-cve-2024-32004.patch

diff --git a/fix-cve-2024-32004.patch b/fix-cve-2024-32004.patch
new file mode 100644
index 0000000..b6bd2c0
--- /dev/null
+++ b/fix-cve-2024-32004.patch
@@ -0,0 +1,155 @@
+From ec325dd32dede3fce1ca9f8ba89cb2edb7ee13ce Mon Sep 17 00:00:00 2001
+From: root <root@localhost.localdomain>
+Date: Wed, 3 Jul 2024 14:49:20 +0800
+Subject: [PATCH] fix-cve-2024-32004
+
+---
+ Documentation/git-upload-pack.txt | 16 ++++++++++++++++
+ builtin/upload-pack.c             |  4 +++-
+ cache.h                           | 14 +++++++++++++-
+ path.c                            |  2 ++
+ promisor-remote.c                 | 10 ++++++++++
+ setup.c                           | 21 +++++++++++++++++++++
+ 6 files changed, 65 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/git-upload-pack.txt b/Documentation/git-upload-pack.txt
+index b656b47..fc4c62d 100644
+--- a/Documentation/git-upload-pack.txt
++++ b/Documentation/git-upload-pack.txt
+@@ -55,6 +55,22 @@ ENVIRONMENT
+ 	admins may need to configure some transports to allow this
+ 	variable to be passed. See the discussion in linkgit:git[1].
+ 
++`GIT_NO_LAZY_FETCH`::
++	When cloning or fetching from a partial repository (i.e., one
++	itself cloned with `--filter`), the server-side `upload-pack`
++	may need to fetch extra objects from its upstream in order to
++	complete the request. By default, `upload-pack` will refuse to
++	perform such a lazy fetch, because `git fetch` may run arbitrary
++	commands specified in configuration and hooks of the source
++	repository (and `upload-pack` tries to be safe to run even in
++	untrusted `.git` directories).
+++
++This is implemented by having `upload-pack` internally set the
++`GIT_NO_LAZY_FETCH` variable to `1`. If you want to override it
++(because you are fetching from a partial clone, and you are sure
++you trust it), you can explicitly set `GIT_NO_LAZY_FETCH` to
++`0`.
++
+ SEE ALSO
+ --------
+ linkgit:gitnamespaces[7]
+diff --git a/builtin/upload-pack.c b/builtin/upload-pack.c
+index beb9dd0..c62d296 100644
+--- a/builtin/upload-pack.c
++++ b/builtin/upload-pack.c
+@@ -37,7 +37,9 @@ int cmd_upload_pack(int argc, const char **argv, const char *prefix)
+ 
+ 	packet_trace_identity("upload-pack");
+ 	read_replace_refs = 0;
+-
++	/* TODO: This should use NO_LAZY_FETCH_ENVIRONMENT */
++	xsetenv("GIT_NO_LAZY_FETCH", "1", 0);
++	
+ 	argc = parse_options(argc, argv, prefix, options, upload_pack_usage, 0);
+ 
+ 	if (argc != 1)
+diff --git a/cache.h b/cache.h
+index bdedb87..5584077 100644
+--- a/cache.h
++++ b/cache.h
+@@ -612,4 +612,16 @@ int stat_validity_check(struct stat_validity *sv, const char *path);
+  */
+ void stat_validity_update(struct stat_validity *sv, int fd);
+ 
+-#endif /* CACHE_H */
++/*
++ * Check if a repository is safe and die if it is not, by verifying the
++ * ownership of the worktree (if any), the git directory, and the gitfile (if
++ * any).
++ *
++ * Exemptions for known-safe repositories can be added via `safe.directory`
++ * config settings; for non-bare repositories, their worktree needs to be
++ * added, for bare ones their git directory.
++ */
++void die_upon_dubious_ownership(const char *gitfile, const char *worktree,
++				const char *gitdir);
++
++#endif /* CACHE_H */
+\ No newline at end of file
+diff --git a/path.c b/path.c
+index 7c1cd81..4330315 100644
+--- a/path.c
++++ b/path.c
+@@ -847,6 +847,7 @@ const char *enter_repo(const char *path, int strict)
+ 		if (!suffix[i])
+ 			return NULL;
+ 		gitfile = read_gitfile(used_path.buf);
++		die_upon_dubious_ownership(gitfile, NULL, used_path.buf);
+ 		if (gitfile) {
+ 			strbuf_reset(&used_path);
+ 			strbuf_addstr(&used_path, gitfile);
+@@ -857,6 +858,7 @@ const char *enter_repo(const char *path, int strict)
+ 	}
+ 	else {
+ 		const char *gitfile = read_gitfile(path);
++		die_upon_dubious_ownership(gitfile, NULL, path);
+ 		if (gitfile)
+ 			path = gitfile;
+ 		if (chdir(path))
+diff --git a/promisor-remote.c b/promisor-remote.c
+index 1adcd6f..9f0441e 100644
+--- a/promisor-remote.c
++++ b/promisor-remote.c
+@@ -23,6 +23,16 @@ static int fetch_objects(struct repository *repo,
+ 	int i;
+ 	FILE *child_in;
+ 
++	/* TODO: This should use NO_LAZY_FETCH_ENVIRONMENT */
++	if (git_env_bool("GIT_NO_LAZY_FETCH", 0)) {
++		static int warning_shown;
++		if (!warning_shown) {
++			warning_shown = 1;
++			warning(_("lazy fetching disabled; some objects may not be available"));
++		}
++		return -1;
++	}
++
+ 	child.git_cmd = 1;
+ 	child.in = -1;
+ 	if (repo != the_repository)
+diff --git a/setup.c b/setup.c
+index 4585822..a8e2bc5 100644
+--- a/setup.c
++++ b/setup.c
+@@ -1172,6 +1172,27 @@ static int ensure_valid_ownership(const char *gitfile,
+ 	return data.is_safe;
+ }
+ 
++void die_upon_dubious_ownership(const char *gitfile, const char *worktree,
++				const char *gitdir)
++{
++	struct strbuf report = STRBUF_INIT, quoted = STRBUF_INIT;
++	const char *path;
++
++	if (ensure_valid_ownership(gitfile, worktree, gitdir, &report))
++		return;
++
++	strbuf_complete(&report, '\n');
++	path = gitfile ? gitfile : gitdir;
++	sq_quote_buf_pretty(&quoted, path);
++
++	die(_("detected dubious ownership in repository at '%s'\n"
++	      "%s"
++	      "To add an exception for this directory, call:\n"
++	      "\n"
++	      "\tgit config --global --add safe.directory %s"),
++	    path, report.buf, quoted.buf);
++}
++
+ static int allowed_bare_repo_cb(const char *key, const char *value, void *d)
+ {
+ 	enum allowed_bare_repo *allowed_bare_repo = d;
+-- 
+2.33.0
+
diff --git a/git.spec b/git.spec
index 1ee6ed6..bdc8e40 100644
--- a/git.spec
+++ b/git.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 
 %bcond_without      docs
 %bcond_without      tests
@@ -36,6 +36,10 @@ Patch1:         0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
 Patch2:         0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
 Patch3:         0003-t-lib-git-svn-try-harder-to-find-a-port.patch
 
+#https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
+#https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7
+Patch10:        fix-cve-2024-32004.patch
+
 %if %{with docs}
 BuildRequires:  /usr/bin/pod2man
 %if %{with asciidoctor}
@@ -685,6 +689,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 
 
 %changelog
+* Wed Jul 3 2024 yangxinyu <yangxinyu@nfschina.com> - 2.41.0-2
+- fix cve-2024-32004
+
 * Sat Jul 15 2023 Funda Wang <fundawang@yeah.net> - 2.41.0-1
 - New verison 2.41.0
 
-- 
Gitee


From fdd7831d07dc48169cc6734190ad02b865cdadef Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Wed, 3 Jul 2024 15:36:50 +0800
Subject: [PATCH 2/2] update

---
 git.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/git.spec b/git.spec
index bdc8e40..69a1e4c 100644
--- a/git.spec
+++ b/git.spec
@@ -38,7 +38,7 @@ Patch3:         0003-t-lib-git-svn-try-harder-to-find-a-port.patch
 
 #https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
 #https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7
-Patch10:        fix-cve-2024-32004.patch
+#Patch10:        fix-cve-2024-32004.patch
 
 %if %{with docs}
 BuildRequires:  /usr/bin/pod2man
-- 
Gitee