Version in base suite: 1.5.1+ds-1

Base version: libgit2_1.5.1+ds-1
Target version: libgit2_1.5.1+ds-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libg/libgit2/libgit2_1.5.1+ds-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libg/libgit2/libgit2_1.5.1+ds-1+deb12u1.dsc

 changelog                              |   10 ++++++
 gbp.conf                               |    4 +-
 patches/backports/CVE-2024-24575.patch |   50 +++++++++++++++++++++++++++++++++
 patches/backports/CVE-2024-24577.patch |   46 ++++++++++++++++++++++++++++++
 patches/series                         |    2 +
 5 files changed, 110 insertions(+), 2 deletions(-)

diff -Nru libgit2-1.5.1+ds/debian/changelog libgit2-1.5.1+ds/debian/changelog
--- libgit2-1.5.1+ds/debian/changelog	2023-01-22 21:03:29.000000000 +0000
+++ libgit2-1.5.1+ds/debian/changelog	2024-02-08 11:31:43.000000000 +0000
@@ -1,3 +1,13 @@
+libgit2 (1.5.1+ds-1+deb12u1) bookworm-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2024-24575: Denial of service attack in git_revparse_single
+    (Closes: #1063415)
+  * Fix CVE-2024-24577: Use-after-free in git_index_add
+    (Closes: #1063416)
+
+ -- Timo Röhling <roehling@debian.org>  Thu, 08 Feb 2024 12:31:43 +0100
+
 libgit2 (1.5.1+ds-1) unstable; urgency=high
 
   * Team upload.
diff -Nru libgit2-1.5.1+ds/debian/gbp.conf libgit2-1.5.1+ds/debian/gbp.conf
--- libgit2-1.5.1+ds/debian/gbp.conf	2022-03-03 08:22:44.000000000 +0000
+++ libgit2-1.5.1+ds/debian/gbp.conf	2024-02-08 11:31:43.000000000 +0000
@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/sid
-upstream-branch = upstream/sid
+debian-branch = debian/bookworm
+upstream-branch =
 
 [pq]
 patch-numbers = False
diff -Nru libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24575.patch libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24575.patch
--- libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24575.patch	1970-01-01 00:00:00.000000000 +0000
+++ libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24575.patch	2024-02-08 11:31:43.000000000 +0000
@@ -0,0 +1,50 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?= <roehling@debian.org>
+Date: Thu, 8 Feb 2024 11:33:13 +0100
+Subject: revparse: fix parsing bug for trailing @
+
+When parsing a revspec that ends with a trailing `@`, explicitly stop
+parsing. Introduce a sentinel variable to explicitly stop parsing.
+
+Prior to this, we would set `spec` to `HEAD`, but were looping on the
+value of `spec[pos]`, so we would continue walking the (new) `spec`
+at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
+read.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+
+Bug-Debian: https://bugs.debian.org/1063415
+Origin: upstream, https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf
+---
+ src/libgit2/revparse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/libgit2/revparse.c b/src/libgit2/revparse.c
+index 9bc28e9..d3bbe84 100644
+--- a/src/libgit2/revparse.c
++++ b/src/libgit2/revparse.c
+@@ -685,6 +685,7 @@ static int revparse(
+ 	git_object *base_rev = NULL;
+ 
+ 	bool should_return_reference = true;
++	bool parsed = false;
+ 
+ 	GIT_ASSERT_ARG(object_out);
+ 	GIT_ASSERT_ARG(reference_out);
+@@ -694,7 +695,7 @@ static int revparse(
+ 	*object_out = NULL;
+ 	*reference_out = NULL;
+ 
+-	while (spec[pos]) {
++	while (!parsed && spec[pos]) {
+ 		switch (spec[pos]) {
+ 		case '^':
+ 			should_return_reference = false;
+@@ -801,6 +802,8 @@ static int revparse(
+ 				break;
+ 			} else if (spec[pos+1] == '\0') {
+ 				spec = "HEAD";
++				identifier_len = 4;
++				parsed = true;
+ 				break;
+ 			}
+ 			/* fall through */
diff -Nru libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24577.patch libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24577.patch
--- libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24577.patch	1970-01-01 00:00:00.000000000 +0000
+++ libgit2-1.5.1+ds/debian/patches/backports/CVE-2024-24577.patch	2024-02-08 11:31:43.000000000 +0000
@@ -0,0 +1,46 @@
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Sat, 16 Dec 2023 11:19:07 +0000
+Subject: index: correct index has_dir_name check
+
+`has_dir_name` is used to check for directory/file collisions,
+and attempts to determine whether the index contains a file with
+a directory name that is a proper subset of the new index entry
+that we're trying to add.
+
+To determine directory name, the function would walk the path string
+backwards to identify a `/`, stopping at the end of the string. However,
+the function assumed that the strings did not start with a `/`. If the
+paths contain only a single `/` at the beginning of the string, then the
+function would continue the loop, erroneously, when they should have
+stopped at the first character.
+
+Correct the order of the tests to terminate properly.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+
+Bug-Debian: https://bugs.debian.org/1063416
+Origin: upstream, https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
+---
+ src/libgit2/index.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/libgit2/index.c b/src/libgit2/index.c
+index f44c507..dcc41ce 100644
+--- a/src/libgit2/index.c
++++ b/src/libgit2/index.c
+@@ -1148,10 +1148,13 @@ static int has_dir_name(git_index *index,
+ 		size_t len, pos;
+ 
+ 		for (;;) {
+-			if (*--slash == '/')
+-				break;
++			slash--;
++
+ 			if (slash <= entry->path)
+ 				return 0;
++
++			if (*slash == '/')
++				break;
+ 		}
+ 		len = slash - name;
+ 
diff -Nru libgit2-1.5.1+ds/debian/patches/series libgit2-1.5.1+ds/debian/patches/series
--- libgit2-1.5.1+ds/debian/patches/series	2023-01-22 21:03:29.000000000 +0000
+++ libgit2-1.5.1+ds/debian/patches/series	2024-02-08 11:31:43.000000000 +0000
@@ -2,3 +2,5 @@
 fix-unit-tests.patch
 handle-bashism.patch
 disable-flaky-stat-tests.patch
+backports/CVE-2024-24575.patch
+backports/CVE-2024-24577.patch