Version in base suite: 1.1.0+dfsg.1-4+deb11u1 Base version: libgit2_1.1.0+dfsg.1-4+deb11u1 Target version: libgit2_1.1.0+dfsg.1-4+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libg/libgit2/libgit2_1.1.0+dfsg.1-4+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libg/libgit2/libgit2_1.1.0+dfsg.1-4+deb11u2.dsc changelog | 8 +++++++ patches/CVE-2024-24577.patch | 46 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 55 insertions(+) diff -Nru libgit2-1.1.0+dfsg.1/debian/changelog libgit2-1.1.0+dfsg.1/debian/changelog --- libgit2-1.1.0+dfsg.1/debian/changelog 2023-04-02 10:28:08.000000000 +0000 +++ libgit2-1.1.0+dfsg.1/debian/changelog 2024-02-08 17:22:27.000000000 +0000 @@ -1,3 +1,11 @@ +libgit2 (1.1.0+dfsg.1-4+deb11u2) bullseye-security; urgency=medium + + * Team upload. + * Fix CVE-2024-24577: Use-after-free in git_index_add + (Closes: #1063416) + + -- Timo Röhling Thu, 08 Feb 2024 18:22:27 +0100 + libgit2 (1.1.0+dfsg.1-4+deb11u1) bullseye; urgency=high * Non-maintainer upload by the Security Team diff -Nru libgit2-1.1.0+dfsg.1/debian/patches/CVE-2024-24577.patch libgit2-1.1.0+dfsg.1/debian/patches/CVE-2024-24577.patch --- libgit2-1.1.0+dfsg.1/debian/patches/CVE-2024-24577.patch 1970-01-01 00:00:00.000000000 +0000 +++ libgit2-1.1.0+dfsg.1/debian/patches/CVE-2024-24577.patch 2024-02-08 17:19:25.000000000 +0000 @@ -0,0 +1,46 @@ +From: =?utf-8?q?Timo_R=C3=B6hling?= +Date: Thu, 8 Feb 2024 18:18:26 +0100 +Subject: index: correct index has_dir_name check + +`has_dir_name` is used to check for directory/file collisions, +and attempts to determine whether the index contains a file with +a directory name that is a proper subset of the new index entry +that we're trying to add. + +To determine directory name, the function would walk the path string +backwards to identify a `/`, stopping at the end of the string. However, +the function assumed that the strings did not start with a `/`. If the +paths contain only a single `/` at the beginning of the string, then the +function would continue the loop, erroneously, when they should have +stopped at the first character. + +Correct the order of the tests to terminate properly. + +Credit to Michael Rodler (@f0rki) and Amazon AWS Security. + +Bug-Debian: https://bugs.debian.org/1063416 +Origin: upstream, https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3 +--- + src/index.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/index.c b/src/index.c +index d5afc9b..e502683 100644 +--- a/src/index.c ++++ b/src/index.c +@@ -1147,10 +1147,13 @@ static int has_dir_name(git_index *index, + size_t len, pos; + + for (;;) { +- if (*--slash == '/') +- break; ++ slash--; ++ + if (slash <= entry->path) + return 0; ++ ++ if (*slash == '/') ++ break; + } + len = slash - name; + diff -Nru libgit2-1.1.0+dfsg.1/debian/patches/series libgit2-1.1.0+dfsg.1/debian/patches/series --- libgit2-1.1.0+dfsg.1/debian/patches/series 2023-02-24 12:05:26.000000000 +0000 +++ libgit2-1.1.0+dfsg.1/debian/patches/series 2024-02-08 17:19:25.000000000 +0000 @@ -1,3 +1,4 @@ disable-online-tests.patch enable-repro-builds.patch CVE-2023-22742.patch +CVE-2024-24577.patch