From 7fb319bbcce05b5fef5644a5cc0ad37118ef6f28 Mon Sep 17 00:00:00 2001
From: yangjinlin01 <yangjinlin01@inspur.com>
Date: Wed, 9 Jul 2025 17:50:02 +0800
Subject: [PATCH] [CVE] FIX CVE-2025-48386

to #22570
Commit fix cve-2025-48386
Project: TC2024080204
Signed-off-by: yangjinlin01 <yangjinlin01@inspur.com>
---
 ...386-avoid-buffer-overflow-in-wcsncat.patch | 90 +++++++++++++++++++
 git.spec                                      |  7 +-
 2 files changed, 96 insertions(+), 1 deletion(-)
 create mode 100644 0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch

diff --git a/0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch b/0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch
new file mode 100644
index 0000000..2a1b467
--- /dev/null
+++ b/0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch
@@ -0,0 +1,90 @@
+From 9de345cb273cc7faaeda279c7e07149d8a15a319 Mon Sep 17 00:00:00 2001
+From: Taylor Blau <me@ttaylorr.com>
+Date: Mon, 19 May 2025 18:30:29 -0400
+Subject: [PATCH] wincred: avoid buffer overflow in wcsncat()
+
+The wincred credential helper uses a static buffer ("target") as a
+unique key for storing and comparing against internal storage. It does
+this by building up a string is supposed to look like:
+
+    git:$PROTOCOL://$USERNAME@$HOST/@PATH
+
+However, the static "target" buffer is declared as a wide string with no
+more than 1,024 wide characters. The first call to wcsncat() is almost
+correct (it copies no more than ARRAY_SIZE(target) wchar_t's), but does
+not account for the trailing NUL, introducing an off-by-one error.
+
+But subsequent calls to wcsncat() have an additional problem on top of
+the off-by-one. They do not account for the length of the existing
+wide string being built up in 'target'. So the following:
+
+    $ perl -e '
+        my $x = "x" x 1_000;
+        print "protocol=$x\nhost=$x\nusername=$x\npath=$x\n"
+      ' |
+      C\:/Program\ Files/Git/mingw64/libexec/git-core/git-credential-wincred.exe get
+
+will result in a segmentation fault from over-filling buffer.
+
+This bug is as old as the wincred helper itself, dating back to
+a6253da0f3 (contrib: add win32 credential-helper, 2012-07-27). Commit
+8b2d219a3d (wincred: improve compatibility with windows versions,
+2013-01-10) replaced the use of strncat() with wcsncat(), but retained
+the buggy behavior.
+
+Fix this by using a "target_append()" helper which accounts for both the
+length of the existing string within the buffer, as well as the trailing
+NUL character.
+
+Reported-by: David Leadbeater <dgl@dgl.cx>
+Helped-by: David Leadbeater <dgl@dgl.cx>
+Helped-by: Jeff King <peff@peff.net>
+Signed-off-by: Taylor Blau <me@ttaylorr.com>
+---
+ .../wincred/git-credential-wincred.c          | 22 +++++++++++++------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/contrib/credential/wincred/git-credential-wincred.c b/contrib/credential/wincred/git-credential-wincred.c
+index 4cd56c42e24469..ceff44207ad8c0 100644
+--- a/contrib/credential/wincred/git-credential-wincred.c
++++ b/contrib/credential/wincred/git-credential-wincred.c
+@@ -37,6 +37,14 @@ static void *xmalloc(size_t size)
+ static WCHAR *wusername, *password, *protocol, *host, *path, target[1024],
+ 	*password_expiry_utc, *oauth_refresh_token;
+ 
++static void target_append(const WCHAR *src)
++{
++	size_t avail = ARRAY_SIZE(target) - wcslen(target) - 1; /* -1 for NUL */
++	if (avail < wcslen(src))
++		die("target buffer overflow");
++	wcsncat(target, src, avail);
++}
++
+ static void write_item(const char *what, LPCWSTR wbuf, int wlen)
+ {
+ 	char *buf;
+@@ -294,17 +302,17 @@ int main(int argc, char *argv[])
+ 
+ 	/* prepare 'target', the unique key for the credential */
+ 	wcscpy(target, L"git:");
+-	wcsncat(target, protocol, ARRAY_SIZE(target));
+-	wcsncat(target, L"://", ARRAY_SIZE(target));
++	target_append(protocol);
++	target_append(L"://");
+ 	if (wusername) {
+-		wcsncat(target, wusername, ARRAY_SIZE(target));
+-		wcsncat(target, L"@", ARRAY_SIZE(target));
++		target_append(wusername);
++		target_append(L"@");
+ 	}
+ 	if (host)
+-		wcsncat(target, host, ARRAY_SIZE(target));
++		target_append(host);
+ 	if (path) {
+-		wcsncat(target, L"/", ARRAY_SIZE(target));
+-		wcsncat(target, path, ARRAY_SIZE(target));
++		target_append(L"/");
++		target_append(path);
+ 	}
+ 
+ 	if (!strcmp(argv[1], "get"))
diff --git a/git.spec b/git.spec
index 3993eb3..23ac722 100644
--- a/git.spec
+++ b/git.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 %bcond_without      docs
 %bcond_with         linkcheck
@@ -42,6 +42,8 @@ Patch1:         0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch
 Patch2:         0002-t-lib-git-daemon-try-harder-to-find-a-port.patch
 Patch3:         0003-t-lib-git-svn-try-harder-to-find-a-port.patch
 Patch4:         git-test-apache-davlockdbtype-config.patch
+#Upstream       https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319
+Patch5:         0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch
 
 %if %{with docs}
 BuildRequires:  /usr/bin/pod2man
@@ -695,6 +697,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 
 
 %changelog
+* Wed Jul 09 2025 yangjinlin01 <yangjinlin01@inspur.com> - 2.47.1-3
+- fix CVE-2025-48386
+
 * Mon Jun 16 2025 Jessica Liu <liu.xuemei1@zte.com.cn> - 2.47.1-2
 - Skip tests which fail on riscv64
 
-- 
Gitee