thodg/libgit2

Browse

Commit 491722e83d6369e8e70bccb1755d878dcc47a9a5

Carlos Martín Nieto 2018-05-29T19:27:59

CHANGELOG: mention fixes for CVE-2018-11235 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 27bc012..bd495d9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,11 @@ v0.27 + 1
 * The line-ending filtering logic - when checking out files - has been
   updated to match newer git (>= git 2.9) for proper interoperability.
 
+* Submodules with names which attempt to perform path traversal now have their
+  configuration ignored. Such names were blindly appended to the
+  `$GIT_DIR/modules` and a malicious name could lead to an attacker writing to
+  an arbitrary location. This matches git's handling of CVE-2018-11235.
+
 ### API additions
 
 ### API removals
@@ -14,6 +19,10 @@ v0.27 + 1
 
 * The default checkout strategy changed from `DRY_RUN` to `SAFE` (#4531).
 
+* Adding a symlink as .gitmodules into the index from the workdir or checking
+  out such files is not allowed as this can make a Git implementation write
+  outside of the repository and bypass the fsck checks for CVE-2018-11235.
+
 v0.27
 ---------
kmx.io     mail     discord kmxgit v0.4.0