diff -u git-1.7.9.5/debian/changelog git-1.7.9.5/debian/changelog
--- git-1.7.9.5/debian/changelog
+++ git-1.7.9.5/debian/changelog
@@ -1,3 +1,18 @@
+git (1:1.7.9.5-1ubuntu0.3) precise-security; urgency=medium
+
+  * SECURITY UPDATE: Fix denial of service or possible arbitrary remote code
+    execution (LP: #1557787)
+    - debian/diff/0023-CVE-2016-2315.patch: Be explicit about the amount of
+      memory being copied
+    - CVE-2016-2315
+  * SECURITY UPDATE: Fix denial of service or possible arbitrary remote code
+    execution
+    - debian/diff/0024-CVE-2016-2324.patch: Use the correct type and maximum
+      size checks when calculating string lengths to prevent integer overflow
+    - CVE-2016-2324
+
+ -- Tyler Hicks <tyhicks@canonical.com>  Mon, 21 Mar 2016 09:44:42 -0500
+
 git (1:1.7.9.5-1ubuntu0.2) precise-security; urgency=medium
 
   * SECURITY UPDATE: arbitrary code execution issues via URLs
only in patch2:
unchanged:
--- git-1.7.9.5.orig/debian/diff/0024-CVE-2016-2324.patch
+++ git-1.7.9.5/debian/diff/0024-CVE-2016-2324.patch
@@ -0,0 +1,55 @@
+Description: Use the correct type when calculating lengths in path_name()
+ Originally written by Takashi. Slightly modified by Tyler.
+Author: Takashi Iwai <tiwai@suse.de>
+Author: Tyler Hicks <tyhicks@canonical.com>
+Origin: vendor, https://bugzilla.novell.com/show_bug.cgi?id=971328#c6
+
+diff -Nurp a/builtin/pack-objects.c b/builtin/pack-objects.c
+--- a/builtin/pack-objects.c	2012-03-26 16:42:17.000000000 -0500
++++ b/builtin/pack-objects.c	2016-03-20 19:57:58.026162740 -0500
+@@ -2129,6 +2129,9 @@ static void show_object(struct object *o
+ {
+ 	char *name = path_name(path, last);
+ 
++	if (!name)
++		die("couldn't show object %s", sha1_to_hex(obj->sha1));
++
+ 	add_preferred_base_object(name);
+ 	add_object_entry(obj->sha1, obj->type, name, 0);
+ 	obj->flags |= OBJECT_ADDED;
+diff -Nurp a/revision.c b/revision.c
+--- a/revision.c	2016-03-20 20:17:16.682350478 -0500
++++ b/revision.c	2016-03-20 20:02:51.115850751 -0500
+@@ -20,12 +20,16 @@ char *path_name(const struct name_path *
+ {
+ 	const struct name_path *p;
+ 	char *n, *m;
+-	int nlen = strlen(name);
+-	int len = nlen + 1;
++	size_t nlen = strlen(name);
++	size_t len = nlen + 1;
+ 
++	if (nlen >= INT_MAX || len >= INT_MAX)
++		return NULL;
+ 	for (p = path; p; p = p->up) {
+ 		if (p->elem_len)
+ 			len += p->elem_len + 1;
++		if (len >= INT_MAX)
++			return NULL;
+ 	}
+ 	n = xmalloc(len);
+ 	m = n + len - (nlen + 1);
+@@ -86,7 +90,12 @@ void add_object(struct object *obj,
+ 		struct name_path *path,
+ 		const char *name)
+ {
+-	add_object_array(obj, path_name(path, name), p);
++	char *pn = path_name(path, name);
++
++	if (!pn)
++		die("couldn't add object %s", sha1_to_hex(obj->sha1));
++
++	add_object_array(obj, pn, p);
+ }
+ 
+ static void mark_blob_uninteresting(struct blob *blob)
only in patch2:
unchanged:
--- git-1.7.9.5.orig/debian/diff/0023-CVE-2016-2315.patch
+++ git-1.7.9.5/debian/diff/0023-CVE-2016-2315.patch
@@ -0,0 +1,70 @@
+From 34fa79a6cde56d6d428ab0d3160cb094ebad3305 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Thu, 24 Sep 2015 17:08:19 -0400
+Subject: [PATCH] prefer memcpy to strcpy
+
+When we already know the length of a string (e.g., because
+we just malloc'd to fit it), it's nicer to use memcpy than
+strcpy, as it makes it more obvious that we are not going to
+overflow the buffer (because the size we pass matches the
+size in the allocation).
+
+This also eliminates calls to strcpy, which make auditing
+the code base harder.
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ compat/nedmalloc/nedmalloc.c | 5 +++--
+ fast-import.c                | 5 +++--
+ revision.c                   | 2 +-
+ 3 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/compat/nedmalloc/nedmalloc.c b/compat/nedmalloc/nedmalloc.c
+index 609ebba..a0a16eb 100644
+--- a/compat/nedmalloc/nedmalloc.c
++++ b/compat/nedmalloc/nedmalloc.c
+@@ -954,8 +954,9 @@ char *strdup(const char *s1)
+ {
+ 	char *s2 = 0;
+ 	if (s1) {
+-		s2 = malloc(strlen(s1) + 1);
+-		strcpy(s2, s1);
++		size_t len = strlen(s1) + 1;
++		s2 = malloc(len);
++		memcpy(s2, s1, len);
+ 	}
+ 	return s2;
+ }
+diff --git a/fast-import.c b/fast-import.c
+index 895c6b4..cf6d8bc 100644
+--- a/fast-import.c
++++ b/fast-import.c
+@@ -638,8 +638,9 @@ static void *pool_calloc(size_t count, size_t size)
+ 
+ static char *pool_strdup(const char *s)
+ {
+-	char *r = pool_alloc(strlen(s) + 1);
+-	strcpy(r, s);
++	size_t len = strlen(s) + 1;
++	char *r = pool_alloc(len);
++	memcpy(r, s, len);
+ 	return r;
+ }
+ 
+diff --git a/revision.c b/revision.c
+index af2a18e..2236463 100644
+--- a/revision.c
++++ b/revision.c
+@@ -29,7 +29,7 @@ char *path_name(const struct name_path *path, const char *name)
+ 	}
+ 	n = xmalloc(len);
+ 	m = n + len - (nlen + 1);
+-	strcpy(m, name);
++	memcpy(m, name, nlen + 1);
+ 	for (p = path; p; p = p->up) {
+ 		if (p->elem_len) {
+ 			m -= p->elem_len + 1;
+-- 
+2.7.0
+