packages/rust
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!108 Fix CVE-2024-24577

Browse Source 
From: @starlet-dx 
Reviewed-by: @wk333 
Signed-off-by: @wk333
This commit is contained in:
openeuler-ci-bot 2024-02-18 01:00:23 +00:00 committed by Gitee
commit 6b7d045068
2 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
CVE-2024-24577.patch Normal file
View File

@ -0,0 +1,51 @@
From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
From: Edward Thomson <ethomson@edwardthomson.com>
Date: Sat, 16 Dec 2023 11:19:07 +0000
Subject: [PATCH] index: correct index has_dir_name check
Origin: https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
`has_dir_name` is used to check for directory/file collisions,
and attempts to determine whether the index contains a file with
a directory name that is a proper subset of the new index entry
that we're trying to add.
To determine directory name, the function would walk the path string
backwards to identify a `/`, stopping at the end of the string. However,
the function assumed that the strings did not start with a `/`. If the
paths contain only a single `/` at the beginning of the string, then the
function would continue the loop, erroneously, when they should have
stopped at the first character.
Correct the order of the tests to terminate properly.
Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
---
vendor/libgit2-sys/libgit2/src/index.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/vendor/libgit2-sys/libgit2/src/index.c b/vendor/libgit2-sys/libgit2/src/index.c
index 7ebe075..7862273 100644
--- a/vendor/libgit2-sys/libgit2/src/index.c
+++ b/vendor/libgit2-sys/libgit2/src/index.c
@@ -1155,10 +1155,14 @@ static int has_dir_name(git_index *index,
size_t len, pos;
for (;;) {
- if (*--slash == '/')
- break;
+ slash--;
+
if (slash <= entry->path)
return 0;
+
+
+ if (*slash == '/')
+ break;
}
len = slash - name;
--
2.23.0

7
rust.spec
View File

@ -12,7 +12,7 @@
%bcond_without lldb %bcond_without lldb
Name: rust Name: rust
Version: 1.51.0 Version: 1.51.0
Release: 6 Release: 7
Summary: The Rust Programming Language Summary: The Rust Programming Language
License: (ASL 2.0 or MIT) and (BSD and MIT) License: (ASL 2.0 or MIT) and (BSD and MIT)
URL: https://www.rust-lang.org URL: https://www.rust-lang.org
@ -40,6 +40,7 @@ Patch0011: cargo-help-clippy-should-have-description-to-user.patch
Patch0012: fix-a-println-wrong-format.patch Patch0012: fix-a-println-wrong-format.patch
Patch0013: CVE-2021-29922.patch Patch0013: CVE-2021-29922.patch
Patch0014: fix-rustdoc-error-info.patch Patch0014: fix-rustdoc-error-info.patch
Patch0015: CVE-2024-24577.patch
%{lua: function rust_triple(arch) %{lua: function rust_triple(arch)
local abi = "gnu" local abi = "gnu"
if arch == "armv7hl" then if arch == "armv7hl" then
@ -264,6 +265,7 @@ mkdir -p src/llvm-project/libunwind/
%patch0012 -p1 %patch0012 -p1
%patch0013 -p1 %patch0013 -p1
%patch0014 -p1 %patch0014 -p1
%patch0015 -p1
rm -rf vendor/curl-sys/curl/ rm -rf vendor/curl-sys/curl/
rm -rf vendor/jemalloc-sys/jemalloc/ rm -rf vendor/jemalloc-sys/jemalloc/
rm -rf vendor/libssh2-sys/libssh2/ rm -rf vendor/libssh2-sys/libssh2/
@ -469,6 +471,9 @@ export %{rust_env}
%{_mandir}/man1/cargo*.1* %{_mandir}/man1/cargo*.1*
%changelog %changelog
* Sat Feb 17 2024 wangkai <13474090681@163.com> - 1.51.0-7
- Fix CVE-2024-24577
* Tue Aug 24 2021 caodongxia <caodongxia@huawei.com> - 1.51.0-6 * Tue Aug 24 2021 caodongxia <caodongxia@huawei.com> - 1.51.0-6
- Fix rustdoc error info - Fix rustdoc error info