thodg/libgit2/CHANGELOG.md

Download

v0.27.5

This is a security release fixing the following list of issues:

v0.27.4

This is a security release fixing out-of-bounds reads when processing smart-protocol “ng” packets.

When parsing an “ng” packet, we keep track of both the current position as well as the remaining length of the packet itself. But instead of taking care not to exceed the length, we pass the current pointer’s position to strchr, which will search for a certain character until hitting NUL. It is thus possible to create a crafted packet which doesn’t contain a NUL byte to trigger an out-of-bounds read.

The issue was discovered by the oss-fuzz project, issue 9406.

v0.27.3

This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone.

When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object “base”. A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function git_apply__patch. But as this function is not in use outside of our test suite, it is not a possible attack vector.

v0.27.2

Changes or improvements

v0.27.1

This is a security release fixing insufficient validation of submodule names (CVE-2018-11235, reported by Etienne Stalmans) and disallows .gitmodules files as symlinks.

While submodule names come from the untrusted “.gitmodules” file, we blindly append the name to “$GIT_DIR/modules” to construct the final path of the submodule repository. In case the name contains e.g. “../“, an adversary would be able to escape your repository and write data at arbitrary paths. In accordance with git, we now enforce some rules for submodule names which will cause libgit2 to ignore these malicious names.

Adding a symlink as .gitmodules into the index from the workdir or checking out such files is not allowed as this can make a Git implementation write outside of the repository and bypass the fsck checks for CVE-2018-11235.

libgit2 is not susceptible to CVE-2018-11233.

v0.27

Changes or improvements

API additions

API removals

Breaking API changes

v0.26

Changes or improvements

API additions


Source

Download