./devel/libgit2, Portable, pure C implementation of the Git core methods

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2018Q3, Version: 0.27.5, Package name: libgit2-0.27.5, Maintainer: pkgsrc-users

libgit2 is a portable, pure C implementation of the Git core methods provided as
a re-entrant linkable library with a solid API, allowing you to write native
speed custom Git applications in any language which supports C bindings.


Required to run:
[lang/python27] [www/curl] [www/http-parser]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: dc339e9dd54316bd44b2769b52d5e30943e90dcf
RMD160: 864a350940288b3bdbdc90601cb24aed46ce7cbe
Filesize: 4663.24 KB

Version history: (Expand)

CVS history: (Expand)


   2018-10-20 18:18:20 by S.P.Zeidler | Files touched by this commit (2) | Package updated
Log message:
Pullup ticket #5848 - requested by bsiegert
devel/libgit2: security update

Revisions pulled up:
- devel/libgit2/Makefile                                        1.29
- devel/libgit2/distinfo                                        1.14

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Thu Oct 18 14:43:01 UTC 2018

   Modified Files:
           pkgsrc/devel/libgit2: Makefile distinfo

   Log message:
   devel/libgit2: update to 0.27.5

   libgit2 0.27.5 (2018/10/5)

   This is a security release fixing the following list of issues:

   * Submodule URLs and paths with a leading "-" are now ignored.  \ 
This is due to
     the recently discovered CVE-2018-17456, which can lead to arbitrary code
     execution in upstream git.  While libgit2 itself is not vulnerable, it can
     be used to inject options in an implementation which performs a recursive
     clone by executing an external command.

   * When running repack while doing repo writes, packfile_load__cb() could see
     some temporary files in the directory that were bigger than the usual, and
     makes memcmp overflow on the p->pack_name string.  This issue was reported
     and fixed by bisho.

   * The configuration file parser used unbounded recursion to parse multiline
     variables, which could lead to a stack overflow.  The issue was reported by
     the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.

   * The fix to the unbounded recursion introduced a memory leak in the config
     parser.  While this leak was never in a public release, the oss-fuzz project
     reported this as issue 10127.  The fix was implemented by Nelson Elhage and
     Patrick Steinhardt.

   * When parsing "ok" packets received via the smart protocol, our \ 
parsing code
     did not correctly verify the bounds of the packets, which could result in a
     heap-buffer overflow.  The issue was reported by the oss-fuzz project, issue
     9749 and fixed by Patrick Steinhardt.

   * The parsing code for the smart protocol has been tightened in general,
     fixing heap-buffer overflows when parsing the packet type as well as for
     "ACK" and "unpack" packets.  The issue was discovered \ 
and fixed by Patrick
     Steinhardt.

   * Fixed potential integer overflows on platforms with 16 bit integers when
     parsing packets for the smart protocol.  The issue was discovered and fixed
     by Patrick Steinhardt.

   * Fixed potential NULL pointer dereference when parsing configuration files
     which have "include.path" or "includeIf..path" \ 
statements without a value.

   To generate a diff of this commit:
   cvs rdiff -u -r1.28 -r1.29 pkgsrc/devel/libgit2/Makefile
   cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libgit2/distinfo