Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15
git.32663
CVE-2023-29007-2.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-29007-2.patch of Package git.32663
commit e91cfe6085c4a61372d1f800b473b73b8d225d0d Author: Taylor Blau <me@ttaylorr.com> Date: Thu Apr 6 14:28:53 2023 -0400 config.c: avoid integer truncation in `copy_or_rename_section_in_file()` There are a couple of spots within `copy_or_rename_section_in_file()` that incorrectly use an `int` to track an offset within a string, which may truncate or wrap around to a negative value. Historically it was impossible to have a line longer than 1024 bytes anyway, since we used fgets() with a fixed-size buffer of exactly that length. But the recent change to use a strbuf permits us to read lines of arbitrary length, so it's possible for a malicious input to cause us to overflow past INT_MAX and do an out-of-bounds array read. Practically speaking, however, this should never happen, since it requires 2GB section names or values, which are unrealistic in non-malicious circumstances. Co-authored-by: Jeff King <peff@peff.net> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Taylor Blau <me@ttaylorr.com> Index: git-2.26.2/config.c =================================================================== --- git-2.26.2.orig/config.c 2023-04-24 13:25:57.672390778 +0000 +++ git-2.26.2/config.c 2023-04-24 13:28:09.061950564 +0000 @@ -2993,9 +2993,10 @@ void git_config_set_multivar(const char multi_replace); } -static int section_name_match (const char *buf, const char *name) +static size_t section_name_match (const char *buf, const char *name) { - int i = 0, j = 0, dot = 0; + size_t i = 0, j = 0; + int dot = 0; if (buf[i] != '[') return 0; for (i = 1; buf[i] && buf[i] != ']'; i++) { @@ -3099,15 +3100,14 @@ static int git_config_copy_or_rename_sec } while (!strbuf_getwholeline(&buf, config_file, '\n')) { - int i; - int length; + size_t i, length; int is_section = 0; char *output = buf.buf; for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) ; /* do nothing */ if (buf.buf[i] == '[') { /* it's a section */ - int offset; + size_t offset; is_section = 1; /*
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor