From e805815c7638631dad0cd2348d819fb2672eea09 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 23 2023 09:01:30 +0000
Subject: import git-1.8.3.1-25.el7_9


---

diff --git a/SOURCES/git-cve-2023-25652.patch b/SOURCES/git-cve-2023-25652.patch
new file mode 100644
index 0000000..bf42f53
--- /dev/null
+++ b/SOURCES/git-cve-2023-25652.patch
@@ -0,0 +1,54 @@
+diff -up ./builtin/apply.c.original ./builtin/apply.c
+--- ./builtin/apply.c.original	2023-05-18 14:44:01.287997256 +0900
++++ ./builtin/apply.c	2023-05-18 14:44:45.513756974 +0900
+@@ -4151,7 +4151,7 @@ static int write_out_one_reject(struct p
+ 	FILE *rej;
+ 	char namebuf[PATH_MAX];
+ 	struct fragment *frag;
+-	int cnt = 0;
++	int fd, cnt = 0;
+ 	struct strbuf sb = STRBUF_INIT;
+ 
+ 	for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4190,7 +4190,17 @@ static int write_out_one_reject(struct p
+ 	memcpy(namebuf, patch->new_name, cnt);
+ 	memcpy(namebuf + cnt, ".rej", 5);
+ 
+-	rej = fopen(namebuf, "w");
++	fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++	if (fd < 0) {
++		if (errno != EEXIST)
++			die_errno(_("cannot open %s"), namebuf);
++		if (unlink(namebuf))
++			die_errno(_("cannot unlink '%s'"), namebuf);
++		fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++		if (fd < 0)
++			die_errno(_("cannot open %s"), namebuf);
++	}
++	rej = fdopen(fd, "w");
+ 	if (!rej)
+ 		return error(_("cannot open %s: %s"), namebuf, strerror(errno));
+ 
+diff -up ./t/t4115-apply-symlink.sh.original ./t/t4115-apply-symlink.sh
+--- ./t/t4115-apply-symlink.sh.original	2023-05-18 14:45:50.675876356 +0900
++++ ./t/t4115-apply-symlink.sh	2023-05-18 14:46:42.075759315 +0900
+@@ -46,4 +46,19 @@ test_expect_success SYMLINKS 'apply --in
+ 
+ '
+ 
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++	test_when_finished "git reset --hard && git clean -dfx" &&
++
++	test_commit file &&
++	echo modified >file.t &&
++	git diff -- file.t >patch &&
++	echo modified-again >file.t &&
++
++	ln -s foo file.t.rej &&
++	test_must_fail git apply patch --reject 2>err &&
++	test_i18ngrep "Rejected hunk" err &&
++	test_path_is_missing foo &&
++	test_path_is_file file.t.rej
++'
++
+ test_done
diff --git a/SOURCES/git-cve-2023-29007.patch b/SOURCES/git-cve-2023-29007.patch
new file mode 100644
index 0000000..0e4792c
--- /dev/null
+++ b/SOURCES/git-cve-2023-29007.patch
@@ -0,0 +1,100 @@
+diff -up ./config.c.original ./config.c
+--- ./config.c.original	2023-05-18 15:11:28.221121569 +0900
++++ ./config.c	2023-05-18 15:24:30.178828343 +0900
+@@ -1701,6 +1701,8 @@ static int section_name_is_ok(const char
+ 	return 1;
+ }
+ 
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
++
+ /* if new_name == NULL, the section is removed instead */
+ int git_config_rename_section_in_file(const char *config_filename,
+ 				      const char *old_name, const char *new_name)
+@@ -1709,8 +1711,9 @@ int git_config_rename_section_in_file(co
+ 	char *filename_buf = NULL;
+ 	struct lock_file *lock;
+ 	int out_fd;
+-	char buf[1024];
++	struct strbuf buf = STRBUF_INIT;
+ 	FILE *config_file;
++	uint32_t line_nr = 0;
+ 
+ 	if (new_name && !section_name_is_ok(new_name)) {
+ 		ret = error("invalid section name: %s", new_name);
+@@ -1732,15 +1735,25 @@ int git_config_rename_section_in_file(co
+ 		goto unlock_and_out;
+ 	}
+ 
+-	while (fgets(buf, sizeof(buf), config_file)) {
++	while (!strbuf_getwholeline(&buf, config_file, '\n')) {
+ 		int i;
+ 		int length;
+-		char *output = buf;
+-		for (i = 0; buf[i] && isspace(buf[i]); i++)
++		char *output = buf.buf;
++
++		line_nr++;
++
++		if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) {
++			ret = error(_("refusing to work with overly long line "
++				      "in '%s' on line %"PRIuMAX),
++				    config_filename, (uintmax_t)line_nr);
++			goto out;
++		}
++
++		for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++)
+ 			; /* do nothing */
+-		if (buf[i] == '[') {
++		if (buf.buf[i] == '[') {
+ 			/* it's a section */
+-			int offset = section_name_match(&buf[i], old_name);
++			int offset = section_name_match(&buf.buf[i], old_name);
+ 			if (offset > 0) {
+ 				ret++;
+ 				if (new_name == NULL) {
+@@ -1785,6 +1798,7 @@ unlock_and_out:
+ 		ret = error("could not commit config file %s", config_filename);
+ out:
+ 	free(filename_buf);
++	strbuf_release(&buf);
+ 	return ret;
+ }
+ 
+diff -up ./t/t1300-repo-config.sh.original ./t/t1300-repo-config.sh
+--- ./t/t1300-repo-config.sh.original	2023-05-18 15:17:53.636877440 +0900
++++ ./t/t1300-repo-config.sh	2023-05-18 15:25:16.931647850 +0900
+@@ -1122,4 +1122,34 @@ test_expect_failure 'adding a key into a
+ 	test_cmp expect .git/config
+ '
+ 
++test_expect_success 'renaming a section with a long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %1024s [a] e = f\\n" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	git config -f y --rename-section a xyz &&
++	test_must_fail git config -f y b.e
++'
++
++test_expect_success 'renaming an embedded section with a long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %1024s [a] [foo] e = f\\n" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	git config -f y --rename-section a xyz &&
++	test_must_fail git config -f y foo.e
++'
++
++test_expect_success 'renaming a section with an overly-long line' '
++	{
++		printf "[b]\\n" &&
++		printf "  c = d %525000s e" " " &&
++		printf "[a] g = h\\n"
++	} >y &&
++	test_must_fail git config -f y --rename-section a xyz 2>err &&
++	test_i18ngrep "refusing to work with overly long line in .y. on line 2" err
++'
++
+ test_done
diff --git a/SPECS/git.spec b/SPECS/git.spec
index 7245bac..7840c29 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -29,7 +29,7 @@
 
 Name:           git
 Version:        1.8.3.1
-Release:        24%{?dist}
+Release:        25%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 Group:          Development/Tools
@@ -117,6 +117,24 @@ Patch26:        git-cve-2022-41903.patch
 #     bd482d6 partially backported to support $SQ variable
 #     c4a7bce to not crash new tests in t0003
 Patch27:        git-cve-2022-23521.patch
+# Fix CVE-2023-25652: git: by feeding specially crafted input to `git apply --reject`,
+# a path outside the working tree can be overwritten with partially controlled contents
+# https://bugzilla.redhat.com/show_bug.cgi?id=2188333
+# The fix includes apply --reject patch from Apr 18,2023
+# https://github.com/git/git/compare/v2.30.8...v2.30.9
+# The relevant commit is:
+#   9db0571 apply --reject: overwrite existing .rej symlink if it exists
+Patch28:        git-cve-2023-25652.patch
+# Fix CVE-2023-29007: git: arbitrary configuration injection when renaming or
+# deleting a section from a configuration file
+# https://bugzilla.redhat.com/show_bug.cgi?id=2188338
+# The fix includes some of section rename patch from Apr 18,2023
+# https://github.com/git/git/compare/v2.30.8...v2.30.9
+# The relevent commits are
+#   a5bb10f config: avoid fixed-sized buffer when renaming/deleting a section  
+#   3bb3d6b config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+#   2919821 t1300: demonstrate failure when renaming sections with long lines
+Patch29:        git-cve-2023-29007.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -376,6 +394,8 @@ Requires:       gnome-keyring
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
+%patch28 -p1
+%patch29 -p1
 
 chmod a+x t/t0011-hashmap.sh t/t1307-config-blob.sh t/t4139-apply-escape.sh t/t7415-submodule-names.sh t/t7416-submodule-dash-url.sh t/t7417-submodule-path-url.sh
 
@@ -692,6 +712,10 @@ rm -rf %{buildroot}
 # No files for you!
 
 %changelog
+* Thu May 18 2023 Masahiro Matsuya <mmatsuya@redhat.com> - 1.8.3.1-25
+- Fixes CVE-2023-25652 and CVE-2023-29007
+- Resolves: #2188354, #2188365
+
 * Tue Feb 21 2023 Ondřej Pohořelský <opohorel@redhat.com> - 1.8.3.1-24
 - Fixes CVE-2022-23521 and CVE-2022-41903
 - Resolves: #2162067