thodg/libgit2/CHANGELOG.md

Tag

Download

v0.27.3

This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone.

When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object “base”. A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function git_apply__patch. But as this function is not in use outside of our test suite, it is not a possible attack vector.

v0.27.2

Changes or improvements

v0.27.1

This is a security release fixing insufficient validation of submodule names (CVE-2018-11235, reported by Etienne Stalmans) and disallows .gitmodules files as symlinks.

While submodule names come from the untrusted “.gitmodules” file, we blindly append the name to “$GIT_DIR/modules” to construct the final path of the submodule repository. In case the name contains e.g. “../“, an adversary would be able to escape your repository and write data at arbitrary paths. In accordance with git, we now enforce some rules for submodule names which will cause libgit2 to ignore these malicious names.

Adding a symlink as .gitmodules into the index from the workdir or checking out such files is not allowed as this can make a Git implementation write outside of the repository and bypass the fsck checks for CVE-2018-11235.

libgit2 is not susceptible to CVE-2018-11233.

v0.27

Changes or improvements

API additions

API removals

Breaking API changes

v0.26

Changes or improvements

API additions


Source

Download