Commit f9ade3147638bb18ce216c625302e9d49d138c8d
2018-05-29T19:03:37
CHANGELOG: mention CVE-2018-11235 is covered by v0.27.1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c2b5071..061e9a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,14 +2,19 @@ v0.27.1
---------
This is a security release fixing insufficient validation of submodule names
-(CVE-2018-11235, reported by Etienne Stalmans).
+(CVE-2018-11235, reported by Etienne Stalmans) and disallows `.gitmodules` files
+as symlinks.
While submodule names come from the untrusted ".gitmodules" file, we blindly
append the name to "$GIT_DIR/modules" to construct the final path of the
submodule repository. In case the name contains e.g. "../", an adversary would
be able to escape your repository and write data at arbitrary paths. In
accordance with git, we now enforce some rules for submodule names which will
-cause libgit2 to ignore these melicious names.
+cause libgit2 to ignore these malicious names.
+
+Adding a symlink as `.gitmodules` into the index from the workdir or checking
+out such files is not allowed as this can make a Git implementation write
+outside of the repository and bypass the `fsck` checks for CVE-2018-11235.
libgit2 is not susceptible to CVE-2018-11233.