diff --git a/0001-packfile-Correct-zlib-buffer-handling.patch b/0001-packfile-Correct-zlib-buffer-handling.patch new file mode 100644 index 0000000..7de2b9a --- /dev/null +++ b/0001-packfile-Correct-zlib-buffer-handling.patch @@ -0,0 +1,50 @@ +From 0255347aed203301302e3f8e39fa87349e178019 Mon Sep 17 00:00:00 2001 +From: Jeremy Linton +Date: Fri, 25 May 2018 17:56:01 -0500 +Subject: [PATCH] packfile: Correct zlib buffer handling + +The buffer being passed to zlib includes a null terminator that +git needs to keep in place. unpack_compressed_entry() attempts to +detect the case that the source buffer hasn't been fully consumed +by checking to see if the destination buffer has been over consumed. + +This yields two problems, first a single byte overrun won't be detected +properly because the Z_STREAM_END will then be set, but the null +terminator will have been overwritten. The other problem is that +more recent zlib patches have been poisoning the unconsumed portions +of the buffers which also overwrites the null, while correctly +returning length and status. + +Lets rely on the fact that the source buffer will only be fully +consumed when the when the destination buffer is inflated to the +correct size. We can do this by passing zlib the correct buffer size +and properly checking the return status. The latter check actually +already exists if the buffer size is correct. + +Signed-off-by: Jeremy Linton +--- + packfile.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/packfile.c b/packfile.c +index 7c1a2519fc..245eb32041 100644 +--- a/packfile.c ++++ b/packfile.c +@@ -1416,7 +1416,7 @@ static void *unpack_compressed_entry(struct packed_git *p, + return NULL; + memset(&stream, 0, sizeof(stream)); + stream.next_out = buffer; +- stream.avail_out = size + 1; ++ stream.avail_out = size; + + git_inflate_init(&stream); + do { +@@ -1424,7 +1424,7 @@ static void *unpack_compressed_entry(struct packed_git *p, + stream.next_in = in; + st = git_inflate(&stream, Z_FINISH); + if (!stream.avail_out) +- break; /* the payload is larger than it should be */ ++ break; /* done, st indicates if source fully consumed */ + curpos += stream.next_in - in; + } while (st == Z_OK || st == Z_BUF_ERROR); + git_inflate_end(&stream); diff --git a/git.spec b/git.spec index ebced47..15d2b14 100644 --- a/git.spec +++ b/git.spec @@ -83,7 +83,7 @@ Name: git Version: 2.17.1 -Release: 1%{?rcrev}%{?dist} +Release: 2%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 URL: https://git-scm.com/ @@ -123,6 +123,9 @@ Patch3: 0001-daemon.c-fix-condition-for-redirecting-stderr.patch # https://bugzilla.redhat.com/1581678 # https://public-inbox.org/git/20180524062733.5412-1-newren@gmail.com/ Patch4: 0001-rev-parse-check-lookup-ed-commit-references-for-NULL.patch +# https://bugzilla.redhat.com/1582555 +# https://public-inbox.org/git/20180525231713.23047-1-lintonrjeremy@gmail.com/ +Patch5: 0001-packfile-Correct-zlib-buffer-handling.patch %if %{with docs} BuildRequires: asciidoc >= 8.4.1 @@ -421,7 +424,19 @@ rm -rf "$tar" "$gpghome" # Cleanup tar files and tmp gpg home dir # Ensure a blank line follows autosetup, el6 chokes otherwise # https://bugzilla.redhat.com/1310704 -%autosetup -p1 -n %{name}-%{version}%{?rcrev} +#autosetup -p1 -n %{name}-%{version}%{?rcrev} + +# Setup/apply patches manually to limit the zlib patch to aarch64 +# until it is accepted upstream +%setup -q -n %{name}-%{version}%{?rcrev} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%ifarch aarch64 +%patch5 -p1 +%endif # Install print-failed-test-output script install -p -m 755 %{SOURCE99} print-failed-test-output @@ -887,6 +902,9 @@ make test || ./print-failed-test-output %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Tue May 29 2018 Todd Zullinger - 2.17.1-2 +- packfile: Correct zlib buffer handling (#1582555) + * Tue May 29 2018 Todd Zullinger - 2.17.1-1 - Update to 2.17.1 (CVE-2018-11233, CVE-2018-11235)