diff --git a/0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch b/0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch deleted file mode 100644 index 2a1b467b03c9b367548859416bf21e65ddc31bfe..0000000000000000000000000000000000000000 --- a/0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 9de345cb273cc7faaeda279c7e07149d8a15a319 Mon Sep 17 00:00:00 2001 -From: Taylor Blau -Date: Mon, 19 May 2025 18:30:29 -0400 -Subject: [PATCH] wincred: avoid buffer overflow in wcsncat() - -The wincred credential helper uses a static buffer ("target") as a -unique key for storing and comparing against internal storage. It does -this by building up a string is supposed to look like: - - git:$PROTOCOL://$USERNAME@$HOST/@PATH - -However, the static "target" buffer is declared as a wide string with no -more than 1,024 wide characters. The first call to wcsncat() is almost -correct (it copies no more than ARRAY_SIZE(target) wchar_t's), but does -not account for the trailing NUL, introducing an off-by-one error. - -But subsequent calls to wcsncat() have an additional problem on top of -the off-by-one. They do not account for the length of the existing -wide string being built up in 'target'. So the following: - - $ perl -e ' - my $x = "x" x 1_000; - print "protocol=$x\nhost=$x\nusername=$x\npath=$x\n" - ' | - C\:/Program\ Files/Git/mingw64/libexec/git-core/git-credential-wincred.exe get - -will result in a segmentation fault from over-filling buffer. - -This bug is as old as the wincred helper itself, dating back to -a6253da0f3 (contrib: add win32 credential-helper, 2012-07-27). Commit -8b2d219a3d (wincred: improve compatibility with windows versions, -2013-01-10) replaced the use of strncat() with wcsncat(), but retained -the buggy behavior. - -Fix this by using a "target_append()" helper which accounts for both the -length of the existing string within the buffer, as well as the trailing -NUL character. - -Reported-by: David Leadbeater -Helped-by: David Leadbeater -Helped-by: Jeff King -Signed-off-by: Taylor Blau ---- - .../wincred/git-credential-wincred.c | 22 +++++++++++++------ - 1 file changed, 15 insertions(+), 7 deletions(-) - -diff --git a/contrib/credential/wincred/git-credential-wincred.c b/contrib/credential/wincred/git-credential-wincred.c -index 4cd56c42e24469..ceff44207ad8c0 100644 ---- a/contrib/credential/wincred/git-credential-wincred.c -+++ b/contrib/credential/wincred/git-credential-wincred.c -@@ -37,6 +37,14 @@ static void *xmalloc(size_t size) - static WCHAR *wusername, *password, *protocol, *host, *path, target[1024], - *password_expiry_utc, *oauth_refresh_token; - -+static void target_append(const WCHAR *src) -+{ -+ size_t avail = ARRAY_SIZE(target) - wcslen(target) - 1; /* -1 for NUL */ -+ if (avail < wcslen(src)) -+ die("target buffer overflow"); -+ wcsncat(target, src, avail); -+} -+ - static void write_item(const char *what, LPCWSTR wbuf, int wlen) - { - char *buf; -@@ -294,17 +302,17 @@ int main(int argc, char *argv[]) - - /* prepare 'target', the unique key for the credential */ - wcscpy(target, L"git:"); -- wcsncat(target, protocol, ARRAY_SIZE(target)); -- wcsncat(target, L"://", ARRAY_SIZE(target)); -+ target_append(protocol); -+ target_append(L"://"); - if (wusername) { -- wcsncat(target, wusername, ARRAY_SIZE(target)); -- wcsncat(target, L"@", ARRAY_SIZE(target)); -+ target_append(wusername); -+ target_append(L"@"); - } - if (host) -- wcsncat(target, host, ARRAY_SIZE(target)); -+ target_append(host); - if (path) { -- wcsncat(target, L"/", ARRAY_SIZE(target)); -- wcsncat(target, path, ARRAY_SIZE(target)); -+ target_append(L"/"); -+ target_append(path); - } - - if (!strcmp(argv[1], "get")) diff --git a/git-2.47.1.tar.xz b/git-2.47.3.tar.xz similarity index 50% rename from git-2.47.1.tar.xz rename to git-2.47.3.tar.xz index 20c12a0e78f4c6aea14f81ec942963571d787197..daae39f146893e502033987a69bc1133ae6d39fc 100644 Binary files a/git-2.47.1.tar.xz and b/git-2.47.3.tar.xz differ diff --git a/git.spec b/git.spec index 3a9a631fa4d7e0da4705dfd5df3918997aebce27..1e0311908804301eda9e87288224810c861f941a 100644 --- a/git.spec +++ b/git.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 1 %bcond_without docs %bcond_with linkcheck @@ -23,7 +23,7 @@ %global _package_note_file %{_builddir}/%{name}-%{version}/.package_note-%{name}-%{version}-%{release}.%{_arch}.ld Name: git -Version: 2.47.1 +Version: 2.47.3 Release: %{anolis_release}%{?dist} Summary: Distributed version control system License: BSD-3-Clause AND GPLv2 AND LGPL-2.1-or-later AND MIT @@ -42,10 +42,8 @@ Patch1: 0001-t-lib-httpd-try-harder-to-find-a-port-for-apache.patch Patch2: 0002-t-lib-git-daemon-try-harder-to-find-a-port.patch Patch3: 0003-t-lib-git-svn-try-harder-to-find-a-port.patch Patch4: git-test-apache-davlockdbtype-config.patch -#Upstream https://github.com/git/git/commit/9de345cb273cc7faaeda279c7e07149d8a15a319 -Patch5: 0005-bug-fix-CVE-2025-48386-avoid-buffer-overflow-in-wcsncat.patch # https://github.com/gitgitgadget/git/pull/1853 -Patch6: 0004-backport-CVE-2024-52005.patch +Patch5: 0004-backport-CVE-2024-52005.patch %if %{with docs} BuildRequires: /usr/bin/pod2man @@ -699,6 +697,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %changelog +* Fri Jul 11 2025 Yangcheng - 2.47.3-1 +- update to 2.47.3 to fix CVE-2025-48384 CVE-2025-48385 CVE-2025-48386 + * Thu Jul 10 2025 wenxin - 2.47.1-4 - Add patch to fix CVE-2024-52005