Path to this page:
Subject: CVS commit: [pkgsrc-2018Q3] pkgsrc/devel/libgit2
From: S.P.Zeidler
Date: 2018-10-20 18:18:20
Message id: 20181020161820.8213AFBEE@cvs.NetBSD.org
Log Message:
Pullup ticket #5848 - requested by bsiegert
devel/libgit2: security update
Revisions pulled up:
- devel/libgit2/Makefile 1.29
- devel/libgit2/distinfo 1.14
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Oct 18 14:43:01 UTC 2018
Modified Files:
pkgsrc/devel/libgit2: Makefile distinfo
Log Message:
devel/libgit2: update to 0.27.5
libgit2 0.27.5 (2018/10/5)
This is a security release fixing the following list of issues:
* Submodule URLs and paths with a leading "-" are now ignored. \
This is due to
the recently discovered CVE-2018-17456, which can lead to arbitrary code
execution in upstream git. While libgit2 itself is not vulnerable, it can
be used to inject options in an implementation which performs a recursive
clone by executing an external command.
* When running repack while doing repo writes, packfile_load__cb() could see
some temporary files in the directory that were bigger than the usual, and
makes memcmp overflow on the p->pack_name string. This issue was reported
and fixed by bisho.
* The configuration file parser used unbounded recursion to parse multiline
variables, which could lead to a stack overflow. The issue was reported by
the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.
* The fix to the unbounded recursion introduced a memory leak in the config
parser. While this leak was never in a public release, the oss-fuzz project
reported this as issue 10127. The fix was implemented by Nelson Elhage and
Patrick Steinhardt.
* When parsing "ok" packets received via the smart protocol, our \
parsing code
did not correctly verify the bounds of the packets, which could result in a
heap-buffer overflow. The issue was reported by the oss-fuzz project, issue
9749 and fixed by Patrick Steinhardt.
* The parsing code for the smart protocol has been tightened in general,
fixing heap-buffer overflows when parsing the packet type as well as for
"ACK" and "unpack" packets. The issue was discovered \
and fixed by Patrick
Steinhardt.
* Fixed potential integer overflows on platforms with 16 bit integers when
parsing packets for the smart protocol. The issue was discovered and fixed
by Patrick Steinhardt.
* Fixed potential NULL pointer dereference when parsing configuration files
which have "include.path" or "includeIf..path" \
statements without a value.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 pkgsrc/devel/libgit2/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libgit2/distinfo
Files: