From a1459aea8619f2e5c3c6545460e4853ab50456b1 Mon Sep 17 00:00:00 2001
From: wk333 <13474090681@163.com>
Date: Sat, 17 Feb 2024 10:16:07 +0800
Subject: [PATCH] Fix CVE-2024-24575,CVE-2024-24577

---
 CVE-2024-24575.patch | 50 +++++++++++++++++++++++++++++++++++++++++++
 CVE-2024-24577.patch | 51 ++++++++++++++++++++++++++++++++++++++++++++
 rust.spec            |  9 +++++++-
 3 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2024-24575.patch
 create mode 100644 CVE-2024-24577.patch

diff --git a/CVE-2024-24575.patch b/CVE-2024-24575.patch
new file mode 100644
index 0000000..b759146
--- /dev/null
+++ b/CVE-2024-24575.patch
@@ -0,0 +1,50 @@
+From c9d31b711e8906cf248566f43142f20b03e20cbf Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Fri, 17 Nov 2023 16:54:47 +0000
+Subject: [PATCH] revparse: fix parsing bug for trailing `@`
+
+Origin: https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf
+
+When parsing a revspec that ends with a trailing `@`, explicitly stop
+parsing. Introduce a sentinel variable to explicitly stop parsing.
+
+Prior to this, we would set `spec` to `HEAD`, but were looping on the
+value of `spec[pos]`, so we would continue walking the (new) `spec`
+at offset `pos`, looking for a NUL. This is obviously an out-of-bounds
+read.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+---
+ vendor/libgit2-sys/libgit2/src/revparse.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/libgit2-sys/libgit2/src/revparse.c b/vendor/libgit2-sys/libgit2/src/revparse.c
+index 964afe378da..06d92f82bf2 100644
+--- a/vendor/libgit2-sys/libgit2/src/revparse.c
++++ b/vendor/libgit2-sys/libgit2/src/revparse.c
+@@ -701,6 +701,7 @@ static int revparse(
+ 	git_object *base_rev = NULL;
+ 
+ 	bool should_return_reference = true;
++	bool parsed = false;
+ 
+ 	GIT_ASSERT_ARG(object_out);
+ 	GIT_ASSERT_ARG(reference_out);
+@@ -710,7 +711,7 @@ static int revparse(
+ 	*object_out = NULL;
+ 	*reference_out = NULL;
+ 
+-	while (spec[pos]) {
++	while (!parsed && spec[pos]) {
+ 		switch (spec[pos]) {
+ 		case '^':
+ 			should_return_reference = false;
+@@ -817,6 +818,8 @@ static int revparse(
+ 				break;
+ 			} else if (spec[pos+1] == '\0') {
+ 				spec = "HEAD";
++				identifier_len = 4;
++				parsed = true;
+ 				break;
+ 			}
+ 			/* fall through */
diff --git a/CVE-2024-24577.patch b/CVE-2024-24577.patch
new file mode 100644
index 0000000..2314ff1
--- /dev/null
+++ b/CVE-2024-24577.patch
@@ -0,0 +1,51 @@
+From eb4c1716cd92bf56f2770653a915d5fc01eab8f3 Mon Sep 17 00:00:00 2001
+From: Edward Thomson <ethomson@edwardthomson.com>
+Date: Sat, 16 Dec 2023 11:19:07 +0000
+Subject: [PATCH] index: correct index has_dir_name check
+
+Origin: https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3
+
+`has_dir_name` is used to check for directory/file collisions,
+and attempts to determine whether the index contains a file with
+a directory name that is a proper subset of the new index entry
+that we're trying to add.
+
+To determine directory name, the function would walk the path string
+backwards to identify a `/`, stopping at the end of the string. However,
+the function assumed that the strings did not start with a `/`. If the
+paths contain only a single `/` at the beginning of the string, then the
+function would continue the loop, erroneously, when they should have
+stopped at the first character.
+
+Correct the order of the tests to terminate properly.
+
+Credit to Michael Rodler (@f0rki) and Amazon AWS Security.
+
+---
+ vendor/libgit2-sys/libgit2/src/index.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/libgit2-sys/libgit2/src/index.c b/vendor/libgit2-sys/libgit2/src/index.c
+index 7ebe075..7862273 100644
+--- a/vendor/libgit2-sys/libgit2/src/index.c
++++ b/vendor/libgit2-sys/libgit2/src/index.c
+@@ -1155,10 +1155,14 @@ static int has_dir_name(git_index *index,
+ 		size_t len, pos;
+ 
+ 		for (;;) {
+-			if (*--slash == '/')
+-				break;
++			slash--;
++
+ 			if (slash <= entry->path)
+ 				return 0;
++
++
++			if (*slash == '/')
++				break;
+ 		}
+ 		len = slash - name;
+ 
+-- 
+2.23.0
+
diff --git a/rust.spec b/rust.spec
index 238ec42..5ce7e9f 100644
--- a/rust.spec
+++ b/rust.spec
@@ -10,7 +10,7 @@
 %bcond_without lldb
 Name:                rust
 Version:             1.64.0
-Release:             2
+Release:             3
 Summary:             The Rust Programming Language
 License:             (ASL 2.0 or MIT) and (BSD and MIT)
 URL:                 https://www.rust-lang.org
@@ -31,6 +31,8 @@ Patch0005:           0001-Use-lld-provided-by-system-for-wasm.patch
 Patch0006:           rustc-1.61.0-rust-gdb-substitute-path.patch
 # https://github.com/rust-lang/rust/pull/102076
 Patch0007:           0001-rustc_transmute-fix-big-endian-discriminants.patch
+Patch0008:           CVE-2024-24575.patch
+Patch0009:           CVE-2024-24577.patch
 
 %{lua: function rust_triple(arch)
   local abi = "gnu"
@@ -263,6 +265,8 @@ sed -i.try-python -e '/^try python3 /i try "%{python}" "$@"' ./configure
 %patch0005 -p1
 %patch0006 -p1
 %patch0007 -p1
+%patch0008 -p1
+%patch0009 -p1
 rm -rf vendor/curl-sys/curl/
 rm -rf vendor/jemalloc-sys/jemalloc/
 rm -rf vendor/libssh2-sys/libssh2/
@@ -493,6 +497,9 @@ export %{rust_env}
 %{_mandir}/man1/cargo*.1*
 
 %changelog
+* Sat Feb 17 2024 wangkai <13474090681@163.com> - 1.64.0-3
+- Fix CVE-2024-24575,CVE-2024-24577
+
 * Sun Jul 30 2023 Funda Wang <fundawang@yeah.net> - 1.64.0-2
 - Use local mirror for speed up
 
-- 
Gitee