Hi, I suggest to fix bug #413629 in etch with version 1:1.4.4.4-2. sid
already has git-core 1:1.5.0.x, so it needs to go through t-p-u. etch
currently has 1:1.4.4.4-1, debdiff is attached, is uploading ok with
you?
Thanks, Gerrit.
diff -u git-core-1.4.4.4/debian/changelog git-core-1.4.4.4/debian/changelog
--- git-core-1.4.4.4/debian/changelog
+++ git-core-1.4.4.4/debian/changelog
@@ -1,3 +1,12 @@
+git-core (1:1.4.4.4-2) testing-proposed-updates; urgency=high
+
+ * debian/diff/0001-http-push.c-lock_remote-validate-all-remote-refs.diff,
+ debian/diff/0002-Another-memory-overrun-in-http-push.c.diff: new,
+ cherry-pick'ed from upstream maint branch: fix memory overruns in
+ http-push.c (closes: #413629).
+
+ -- Gerrit Pape <[EMAIL PROTECTED]> Wed, 7 Mar 2007 17:14:04 +0000
+
git-core (1:1.4.4.4-1) unstable; urgency=low
* new upstream release, important fixes:
only in patch2:
unchanged:
---
git-core-1.4.4.4.orig/debian/diff/0002-Another-memory-overrun-in-http-push.c.diff
+++ git-core-1.4.4.4/debian/diff/0002-Another-memory-overrun-in-http-push.c.diff
@@ -0,0 +1,49 @@
+From 9a580d9d5d9e148f1cd78807c5b0476ec2431cfd Mon Sep 17 00:00:00 2001
+From: Eygene Ryabinkin <[EMAIL PROTECTED]>
+Date: Thu, 1 Mar 2007 19:09:12 +0300
+Subject: [PATCH] Another memory overrun in http-push.c
+
+Use of strlcpy() are wrong, as the source buffer at these
+locations may not be NUL-terminated.
+---
+ http-push.c | 10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/http-push.c b/http-push.c
+index 60d2844..3f58ec4 100644
+--- a/http-push.c
++++ b/http-push.c
+@@ -1268,7 +1268,9 @@ xml_cdata(void *userData, const XML_Char *s, int len)
+ struct xml_ctx *ctx = (struct xml_ctx *)userData;
+ free(ctx->cdata);
+ ctx->cdata = xmalloc(len + 1);
+- strlcpy(ctx->cdata, s, len + 1);
++ /* NB: 's' is not null-terminated, can not use strlcpy here */
++ memcpy(ctx->cdata, s, len);
++ ctx->cdata[len] = '\0';
+ }
+
+ static struct remote_lock *lock_remote(const char *path, long timeout)
+@@ -1470,7 +1472,8 @@ static void process_ls_object(struct remote_ls_ctx *ls)
+ return;
+ path += 8;
+ obj_hex = xmalloc(strlen(path));
+- strlcpy(obj_hex, path, 3);
++ /* NB: path is not null-terminated, can not use strlcpy here */
++ memcpy(obj_hex, path, 2);
+ strcpy(obj_hex + 2, path + 3);
+ one_remote_object(obj_hex);
+ free(obj_hex);
+@@ -2167,7 +2170,8 @@ static void fetch_symref(const char *path, char
**symref, unsigned char *sha1)
+ /* If it's a symref, set the refname; otherwise try for a sha1 */
+ if (!strncmp((char *)buffer.buffer, "ref: ", 5)) {
+ *symref = xmalloc(buffer.posn - 5);
+- strlcpy(*symref, (char *)buffer.buffer + 5, buffer.posn - 5);
++ memcpy(*symref, (char *)buffer.buffer + 5, buffer.posn - 6);
++ (*symref)[buffer.posn - 6] = '\0';
+ } else {
+ get_sha1_hex(buffer.buffer, sha1);
+ }
+--
+1.5.0.3
+
only in patch2:
unchanged:
---
git-core-1.4.4.4.orig/debian/diff/0001-http-push.c-lock_remote-validate-all-remote-refs.diff
+++
git-core-1.4.4.4/debian/diff/0001-http-push.c-lock_remote-validate-all-remote-refs.diff
@@ -0,0 +1,30 @@
+From f727f23b35496ce0dc51f82249c57c29e9b63602 Mon Sep 17 00:00:00 2001
+From: Eygene Ryabinkin <[EMAIL PROTECTED]>
+Date: Wed, 28 Feb 2007 12:12:02 -0800
+Subject: [PATCH] http-push.c::lock_remote(): validate all remote refs.
+
+Starting from offset 11 might have been good back when it was
+only used for updating "refs/heads/*", but it is used to update
+"info/refs" and "refs/tags/*" as well.
+
+Signed-off-by: Junio C Hamano <[EMAIL PROTECTED]>
+---
+ http-push.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/http-push.c b/http-push.c
+index ecefdfd..60d2844 100644
+--- a/http-push.c
++++ b/http-push.c
+@@ -1292,7 +1292,7 @@ static struct remote_lock *lock_remote(const char *path,
long timeout)
+ sprintf(url, "%s%s", remote->url, path);
+
+ /* Make sure leading directories exist for the remote ref */
+- ep = strchr(url + strlen(remote->url) + 11, '/');
++ ep = strchr(url + strlen(remote->url) + 1, '/');
+ while (ep) {
+ *ep = 0;
+ slot = get_active_slot();
+--
+1.5.0.3
+
