Path to this page:
./
devel/libgit2,
Portable, pure C implementation of the Git core methods
Branch: pkgsrc-2018Q3,
Version: 0.27.5,
Package name: libgit2-0.27.5,
Maintainer: pkgsrc-userslibgit2 is a portable, pure C implementation of the Git core methods provided as
a re-entrant linkable library with a solid API, allowing you to write native
speed custom Git applications in any language which supports C bindings.
Required to run:[
lang/python27] [
www/curl] [
www/http-parser]
Required to build:[
pkgtools/cwrappers]
Master sites:
SHA1: dc339e9dd54316bd44b2769b52d5e30943e90dcf
RMD160: 864a350940288b3bdbdc90601cb24aed46ce7cbe
Filesize: 4663.24 KB
Version history: (Expand)
- (2018-10-22) Package added to pkgsrc.se, version libgit2-0.27.5 (created)
CVS history: (Expand)
2018-10-20 18:18:20 by S.P.Zeidler | Files touched by this commit (2) | |
Log message:
Pullup ticket #5848 - requested by bsiegert
devel/libgit2: security update
Revisions pulled up:
- devel/libgit2/Makefile 1.29
- devel/libgit2/distinfo 1.14
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Oct 18 14:43:01 UTC 2018
Modified Files:
pkgsrc/devel/libgit2: Makefile distinfo
Log message:
devel/libgit2: update to 0.27.5
libgit2 0.27.5 (2018/10/5)
This is a security release fixing the following list of issues:
* Submodule URLs and paths with a leading "-" are now ignored. \
This is due to
the recently discovered CVE-2018-17456, which can lead to arbitrary code
execution in upstream git. While libgit2 itself is not vulnerable, it can
be used to inject options in an implementation which performs a recursive
clone by executing an external command.
* When running repack while doing repo writes, packfile_load__cb() could see
some temporary files in the directory that were bigger than the usual, and
makes memcmp overflow on the p->pack_name string. This issue was reported
and fixed by bisho.
* The configuration file parser used unbounded recursion to parse multiline
variables, which could lead to a stack overflow. The issue was reported by
the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.
* The fix to the unbounded recursion introduced a memory leak in the config
parser. While this leak was never in a public release, the oss-fuzz project
reported this as issue 10127. The fix was implemented by Nelson Elhage and
Patrick Steinhardt.
* When parsing "ok" packets received via the smart protocol, our \
parsing code
did not correctly verify the bounds of the packets, which could result in a
heap-buffer overflow. The issue was reported by the oss-fuzz project, issue
9749 and fixed by Patrick Steinhardt.
* The parsing code for the smart protocol has been tightened in general,
fixing heap-buffer overflows when parsing the packet type as well as for
"ACK" and "unpack" packets. The issue was discovered \
and fixed by Patrick
Steinhardt.
* Fixed potential integer overflows on platforms with 16 bit integers when
parsing packets for the smart protocol. The issue was discovered and fixed
by Patrick Steinhardt.
* Fixed potential NULL pointer dereference when parsing configuration files
which have "include.path" or "includeIf..path" \
statements without a value.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 pkgsrc/devel/libgit2/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libgit2/distinfo
|