Skip to content
  • v1.0.1
  • 0ced296
  • Compare
    Choose a tag to compare
    Search for a tag
  • v1.0.1
  • 0ced296
  • Compare
    Choose a tag to compare
    Search for a tag

@ethomson ethomson released this Jun 4, 2020

This is a bugfix release with the following changes:

  • Calculating information about renamed files during merges is more
    efficient because dissimilarity about files is now being cached and
    no longer needs to be recomputed.

  • The git_worktree_prune_init_options has been correctly restored for
    backward compatibility. In v1.0 it was incorrectly deprecated with a
    typo.

  • The optional ntlmclient dependency now supports NetBSD.

  • A bug where attempting to stash on a bare repository may have failed
    has been fixed.

  • Configuration files that are unreadable due to permissions are now
    silently ignored, and treated as if they do not exist. This matches
    git's behavior; previously this case would have been an error.

  • v4 index files are now correctly written; previously we would read
    them correctly but would not write the prefix-compression accurately,
    causing corruption.

  • A bug where the smart HTTP transport could not read large data packets
    has been fixed. Previously, fetching from servers like Gerrit, that
    sent large data packets, would error.

Assets 4
  • v1.0.0
  • 7d3c705
  • Compare
    Choose a tag to compare
    Search for a tag
  • v1.0.0
  • 7d3c705
  • Compare
    Choose a tag to compare
    Search for a tag

@pks-t pks-t released this Apr 1, 2020

This is release v1.0 "Luftschloss", which is the first stabe release of
libgit2. The API will stay compatible across all releases of the same major
version. This release includes bugfixes only and supersedes v0.99, which will
stop being maintained. Both v0.27 and v0.28 stay supported in accordance with
our release policy.

Changes or improvements

  • CMake was converted to make use of the GNUInstallDirs module for both our
    pkgconfig and install targets in favor of our custom build options
    BIN_INSTALL_DIR, LIB_INSTALL_DIR and INCLUDE_INSTALL_DIR. Instead, you
    can now use CMakes standard variables CMAKE_INSTALL_BINDIR,
    CMAKE_INSTALL_LIBDIR and CMAKE_INSTALL_INCLUDEDIR.

  • Some CMake build options accepted either a specific value or a boolean value
    to disable the option altogether or use automatic detection. We only accepted
    "ON" or "OFF", but none of the other values CMake recognizes as boolean. This
    was aligned with CMake's understanding of booleans.

  • The installed pkgconfig file contained incorrect values for both libdir and
    includedir variables.

  • If using pcre2 for regular expressions, then we incorrectly added "pcre2"
    instead of "pcre2-8" to our pkgconfig dependencies, which was corrected.

  • Fixed building the bundled ntlmclient dependency on FreeBSD, OpenBSD and
    SunOS.

  • When writing symlinks on Windows, we incorrectly handled relative symlink
    targets, which was corrected.

  • When using the HTTP protocol via macOS' SecureTransport implementation, reads
    could stall at the end of the session and only continue after a timeout of 60
    seconds was reached.

  • The filesystem-based reference callback didn't corectly initialize the backend
    version.

  • A segmentation fault was fixed when calling git_blame_buffer() for files
    that were modified and added to the index.

  • A backwards-incompatible change was introduced when we moved some structures
    from "git2/credentials.h" into "git2/sys/credentials.h". This was fixed in the
    case where you do not use hard deprecation.

  • Improved error handling in various places.

Assets 4
  • v0.28.5
  • 7a2b969
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.28.5
  • 7a2b969
  • Compare
    Choose a tag to compare
    Search for a tag

@pks-t pks-t released this Apr 1, 2020

This is a bugfix release with the following changes:

  • Fix an out-of-bounds read when applying patches that do not end
    with a newline.

  • Fix an out-of-bounds read when decoding specially crafted
    binary patches.

  • Fix an out-of-bounds read when receiving a specially crafted
    "OK" packet via the smarthttp transport.

  • Fix lifetime for parsed patches depending on the lifetime of
    the parsed buffe.

  • Several fixes when parsing and applying patches.

  • Fix computed patch IDs for patches that have no newline at end
    of file.

  • Fix applying patches to trees that add new files.

  • Do not read configuration from a user's home directory if
    running in a sandboxed environment.

  • Fix handling of nested ignore rules overriding wildcard
    unignores in parent directories.

  • Fix reference locks not being correctly honored on Unix
    systems.

  • Follow 308 redirects when fetching or pushing from remote
    repositories on Windows.

  • Fix a race when detaching the libgit2 library on Windows.

  • Update the "binary" gitattribute macro to match git's change
    to "-diff -merge -text -crlf".

  • Refuse to delete the HEAD reference.

  • Fixes for several memory leaks.

  • When fetching from an anonymous remote using a URL with authentication
    information provided in the URL (eg https://foo:bar@example.com/repo),
    we would erroneously include the literal URL in the FETCH_HEAD file.
    We now remove that to match git's behavior.

Assets 4
  • v0.99.0
  • 1722390
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.99.0
  • 1722390
  • Compare
    Choose a tag to compare
    Search for a tag

@pks-t pks-t released this Feb 19, 2020

This is v0.99 "Torschlusspanik". This will be the last minor release
before libgit2 v1.0. We expect to only respond to bugs in this release,
to stabilize it for next major release.

It contains significant refactorings, but is expected to be API-compatible
with v0.28.0.

Changes or improvements

  • When fetching from an anonymous remote using a URL with authentication
    information provided in the URL (eg https://foo:bar@example.com/repo),
    we would erroneously include the literal URL in the FETCH_HEAD file.
    We now remove that to match git's behavior.

  • Some credential structures, enums and values have been renamed:
    git_cred is now git_credential. git_credtype_t is now
    git_credential_t. Functions and types beginning with
    git_cred_ now begin with git_credential, and constants beginning
    with GIT_CREDTYPE now begin with GIT_CREDENTIAL. The former names
    are deprecated.

  • Several function signatures have been changed to return an int to
    indicate error conditions. We encourage you to check them for errors
    in the standard way.

    • git_attr_cache_flush
    • git_error_set_str
    • git_index_name_clear
    • git_index_reuc_clear
    • git_libgit2_version
    • git_mempack_reset
    • git_oid_cpy
    • git_oid_fmt
    • git_oid_fromraw
    • git_oid_nfmt
    • git_oid_pathfmt
    • git_remote_stop
    • git_remote_disconnect
    • git_repository__cleanup
    • git_repository_set_config
    • git_repository_set_index
    • git_repository_set_odb
    • git_repository_set_refdb
    • git_revwalk_reset
    • git_revwalk_simplify_first_parent
    • git_revwalk_sorting
    • git_treebuilder_clear
    • git_treebuilder_filter
  • The NTLM and Negotiate authentication mechanisms are now supported when
    talking to git implementations hosted on Apache or nginx servers.

  • The HEAD symbolic reference can no longer be deleted.

  • git_merge_driver_source_repo no longer returns a const git_repository *,
    it now returns a non-const git_repository *.

  • Relative symbolic links are now supported on Windows when core.symlinks
    is enabled.

  • Servers that provide query parameters with a redirect are now supported.

  • git_submodule_sync will now resolve relative URLs.

  • When creating git endpoint URLs, double-slashes are no longer used when
    the given git URL has a trailing slash.

  • On Windows, a DllMain function is no longer included and thread-local
    storage has moved to fiber-local storage in order to prevent race
    conditions during shutdown.

  • The tracing mechanism (GIT_TRACE) is now enabled by default and does
    not need to be explicitly enabled in CMake.

  • The size of Git objects is now represented by git_object_size_t
    instead of off_t.

  • Binary patches without data can now be parsed.

  • A configuration snapshot can now be created from another configuration
    snapshot, not just a "true" configuration object.

  • The git_commit_with_signature API will now ensure that referenced
    objects exist in the object database.

  • Stash messages containing newlines will now be replaced with spaces;
    they will no longer be (erroneously) written to the repository.

  • git_commit_create_with_signature now verifies the commit information
    to ensure that it points to a valid tree and valid parents.

  • git_apply has an option GIT_APPLY_CHECK that will only do a dry-run.
    The index and working directory will remain unmodified, and application
    will report if it would have worked.

  • Patches produced by Mercurial (those that lack some git extended headers)
    can now be parsed and applied.

  • Reference locks are obeyed correctly on POSIX platforms, instead of
    being removed.

  • Patches with empty new files can now be read and applied.

  • git_apply_to_tree can now correctly apply patches that add new files.

  • The program data configuration on Windows (C:\ProgramData\Git\config)
    must be owned by an administrator, a system account or the current user
    to be read.

  • git_blob_filtered_content is now deprecated in favor of git_blob_filter.

  • Configuration files can now be included conditionally using the
    onbranch conditional.

  • Checkout can now properly create and remove symbolic links to directories
    on Windows.

  • Stash no longer recomputes trees when committing a worktree, for
    improved performance.

  • Repository templates can now include a HEAD file to default the
    initial default branch.

  • Some configuration structures, enums and values have been renamed:
    git_cvar_map is now git_configmap, git_cvar_t is now
    git_configmap_t, GIT_CVAR_FALSE is now GIT_CONFIGMAP_FALSE,
    GIT_CVAR_TRUE is now GIT_CONFIGMAP_TRUE, GIT_CVAR_INT32 is now
    GIT_CONFIGMAP_INT32, and GIT_CVAR_STRING is now GIT_CONFIGMAP_STRING.
    The former names are deprecated.

  • Repositories can now be created at the root of a Windows drive.

  • Configuration lookups are now more efficiently cached.

  • git_commit_create_with_signature now supports a NULL signature,
    which will create a commit without adding a signature.

  • When a repository lacks an info "common directory", we will no
    longer erroneously return GIT_ENOTFOUND for all attribute lookups.

  • Several attribute macros have been renamed: GIT_ATTR_TRUE is now
    GIT_ATTR_IS_TRUE, GIT_ATTR_FALSE is now GIT_ATTR_IS_FALSE,
    GIT_ATTR_UNSPECIFIED is now GIT_ATTR_IS_UNSPECIFIED. The
    attribute enum git_attr_t is now git_attr_value_t and its
    values have been renamed: GIT_ATTR_UNSPECIFIED_T is now
    GIT_ATTR_VALUE_UNSPECIFIED, GIT_ATTR_TRUE_T is now
    GIT_ATTR_VALUE_TRUE, GIT_ATTR_FALSE_T is now GIT_ATTR_VALUE_FALSE,
    and GIT_ATTR_VALUE_T is now GIT_ATTR_VALUE_STRING. The
    former names are deprecated.

  • git_object__size is now git_object_size. The former name is
    deprecated.

  • git_tag_create_frombuffer is now git_tag_create_from_buffer. The
    former name is deprecated.

  • Several blob creation functions have been renamed:
    git_blob_create_frombuffer is now named git_blob_create_from_buffer,
    git_blob_create_fromdisk is now named git_blob_create_from_disk,
    git_blob_create_fromworkdir is now named git_blob_create_from_workdir,
    git_blob_create_fromstream is now named git_blob_create_from_stream,
    and git_blob_create_fromstream_commit is now named
    git_blob_create_from_stream_commit. The former names are deprecated.

  • The function git_oid_iszero is now named git_oid_is_zero. The
    former name is deprecated.

  • Pattern matching is now done using wildmatch instead of fnmatch
    for compatibility with git.

  • The option initialization functions suffixed by init_options are now
    suffixed with options_init. (For example, git_checkout_init_options
    is now git_checkout_options_init.) The former names are deprecated.

  • NTLM2 authentication is now supported on non-Windows platforms.

  • The git_cred_sign_callback callback is now named git_cred_sign_cb.
    The git_cred_ssh_interactive_callback callback is now named
    git_cred_ssh_interactive_cb.

  • Ignore files now:

    • honor escaped trailing whitespace.
    • do not incorrectly negate sibling paths of a negated pattern.
    • honor rules that stop ignoring files after a wildcard
  • Attribute files now:

    • honor leading and trailing whitespace.
    • treat paths beginning with \ as absolute only on Windows.
    • properly handle escaped characters.
    • stop reading macros defined in subdirectories
  • The C locale is now correctly used when parsing regular expressions.

  • The system PCRE2 or PCRE regular expression libraries are now used
    when regcomp_l is not available on the system. If none of these
    are available on the system, an included version of PCRE is used.

  • Wildcards in reference specifications are now supported beyond simply
    a bare wildcard (*) for compatibility with git.

  • When git_ignore_path_is_ignored is provided a path with a trailing
    slash (eg, dir/), it will now treat it as a directory for the
    purposes of ignore matching.

  • Patches that add or remove a file with a space in the path can now
    be correctly parsed.

  • The git_remote_completion_type type is now git_remote_completion_t.
    The former name is deprecated.

  • The git_odb_backend_malloc is now git_odb_backend_data_alloc. The
    former name is deprecated.

  • The git_transfer_progress_cb callback is now git_indexer_progress_cb
    and the git_transfer_progress structure is now git_indexer_progress.
    The former names are deprecated.

  • The example projects are now contained in a single lg2 executable
    for ease of use.

  • libgit2 now correctly handles more URLs, such as
    http://example.com:/repo.git (colon but no port),
    http://example.com (no path),
    and http://example.com:8080/ (path is /, nonstandard port).

  • A carefully constructed commit object with a very large number
    of parents may lead to potential out-of-bounds writes or
    potential denial of service.

  • The ProgramData configuration file is always read for compatibility
    with Git for Windows and Portable Git installations. The ProgramData
    location is not necessarily writable only by administrators, so we
    now ensure that the configuration file is owned by the administrator
    or the current user.

API additions

  • The SSH host key now supports SHA-256 when GIT_CERT_SSH_SHA256 is set.

  • The diff format option GIT_DIFF_FORMAT_PATCH_ID can now be used to
    emit an output like git patch-id.

  • The git_apply_options_init function will initialize a
    git_apply_options structure.

  • The remote callbacks structure adds a git_url_resolve_cb callback
    that is invoked when connecting to a server, so that applications
    may edit or replace the URL before connection.

  • The information about the original HEAD in a rebase operation is
    available with git_rebase_orig_head_name. Its ID is available with
    git_rebase_orig_head_id. The onto reference name is available with
    git_rebase_onto_name and its ID is available with git_rebase_onto_id.

  • ODB backends can now free backend data when an error occurs during its
    backend data creation using git_odb_backend_data_free.

  • Options may be specified to git_repository_foreach_head to control
    its behavior: GIT_REPOSITORY_FOREACH_HEAD_SKIP_REPO will not skip
    the main repository's HEAD reference, while
    GIT_REPOSITORY_FOREACH_HEAD_SKIP_WORKTREES will now skip the
    worktree HEAD references.

  • The GIT_OPT_DISABLE_PACK_KEEP_FILE_CHECKS option can be specified to
    git_libgit2_opts() to avoid looking for .keep files that correspond
    to packfiles. This setting can improve performance when packfiles are
    stored on high-latency filesystems like network filesystems.

  • Blobs can now be filtered with git_blob_filter, which allows for
    options to be set with git_blob_filter_options, including
    GIT_FILTER_NO_SYSTEM_ATTRIBUTES to disable filtering with system-level
    attributes in /etc/gitattributes and GIT_ATTR_CHECK_INCLUDE_HEAD to
    enable filtering with .gitattributes files in the HEAD revision.

API removals

  • The unused git_headlist_cb function declaration was removed.

  • The unused git_time_monotonic API is removed.

  • The erroneously exported inttypes.h header was removed.

Security Fixes

  • CVE-2019-1348: the fast-import stream command "feature
    export-marks=path" allows writing to arbitrary file paths. As
    libgit2 does not offer any interface for fast-import, it is not
    susceptible to this vulnerability.

  • CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
    alternate filesystreams, it is possible to cause submodules to
    be written into pre-existing directories during a recursive
    clone using git. As libgit2 rejects cloning into non-empty
    directories by default, it is not susceptible to this
    vulnerability.

  • CVE-2019-1350: recursive clones may lead to arbitrary remote
    code executing due to improper quoting of command line
    arguments. As libgit2 uses libssh2, which does not require us
    to perform command line parsing, it is not susceptible to this
    vulnerability.

  • CVE-2019-1351: Windows provides the ability to substitute
    drive letters with arbitrary letters, including multi-byte
    Unicode letters. To fix any potential issues arising from
    interpreting such paths as relative paths, we have extended
    detection of DOS drive prefixes to accomodate for such cases.

  • CVE-2019-1352: by using NTFS-style alternative file streams for
    the ".git" directory, it is possible to overwrite parts of the
    repository. While this has been fixed in the past for Windows,
    the same vulnerability may also exist on other systems that
    write to NTFS filesystems. We now reject any paths starting
    with ".git:" on all systems.

  • CVE-2019-1353: by using NTFS-style 8.3 short names, it was
    possible to write to the ".git" directory and thus overwrite
    parts of the repository, leading to possible remote code
    execution. While this problem was already fixed in the past for
    Windows, other systems accessing NTFS filesystems are
    vulnerable to this issue too. We now enable NTFS protecions by
    default on all systems to fix this attack vector.

  • CVE-2019-1354: on Windows, backslashes are not a valid part of
    a filename but are instead interpreted as directory separators.
    As other platforms allowed to use such paths, it was possible
    to write such invalid entries into a Git repository and was
    thus an attack vector to write into the ".git" dierctory. We
    now reject any entries starting with ".git" on all systems.

  • CVE-2019-1387: it is possible to let a submodule's git
    directory point into a sibling's submodule directory, which may
    result in overwriting parts of the Git repository and thus lead
    to arbitrary command execution. As libgit2 doesn't provide any
    way to do submodule clones natively, it is not susceptible to
    this vulnerability. Users of libgit2 that have implemented
    recursive submodule clones manually are encouraged to review
    their implementation for this vulnerability.

Breaking API changes

  • The "private" implementation details of the git_cred structure have been
    moved to a dedicated git2/sys/cred.h header, to clarify that the underlying
    structures are only provided for custom transport implementers.
    The breaking change is that the username member of the underlying struct
    is now hidden, and a new git_cred_get_username function has been provided.

Breaking CMake configuration changes

  • The CMake option to use a system http-parser library, instead of the
    bundled dependency, has changed. This is due to a deficiency in
    http-parser that we have fixed in our implementation. The bundled
    library is now the default, but if you wish to force the use of the
    system http-parser implementation despite incompatibilities, you can
    specify -DUSE_HTTP_PARSER=system to CMake.

  • The interactions between USE_HTTPS and SHA1_BACKEND have been
    streamlined. The detection was moved to a new USE_SHA1, modeled after
    USE_HTTPS, which takes the values "CollisionDetection/Backend/Generic", to
    better match how the "hashing backend" is selected, the default (ON) being
    "CollisionDetection". If you were using SHA1_BACKEND previously, you'll
    need to check the value you've used, or switch to the autodetection.

Authors

The following individuals provided changes that were included in this
release:

  • Aaron Patterson
  • Alberto Fanjul
  • Anders Borum
  • Augie Fackler
  • Augustin Fabre
  • Ayush Shridhar
  • brian m. carlson
  • buddyspike
  • Carlos Martín Nieto
  • cheese1
  • Dan Skorupski
  • Daniel Cohen Gindi
  • Dave Lee
  • David Brooks
  • David Turner
  • Denis Laxalde
  • Dhruva Krishnamurthy
  • Dominik Ritter
  • Drew DeVault
  • Edward Thomson
  • Eric Huss
  • Erik Aigner
  • Etienne Samson
  • Gregory Herrero
  • Heiko Voigt
  • Ian Hattendorf
  • Jacques Germishuys
  • Janardhan Pulivarthi
  • Jason Haslam
  • Johannes Schindelin
  • Jordan Wallet
  • Josh Bleecher Snyder
  • kas
  • kdj0c
  • Laurence McGlashan
  • lhchavez
  • Lukas Berk
  • Max Kostyukevich
  • Patrick Steinhardt
  • pcpthm
  • Remy Suen
  • Robert Coup
  • romkatv
  • Scott Furry
  • Sebastian Henke
  • Stefan Widgren
  • Steve King Jr
  • Sven Strickroth
  • Tobias Nießen
  • Tyler Ang-Wanek
  • Tyler Wanek
Assets 4
  • v0.28.4
  • 106a5f2
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.28.4
  • 106a5f2
  • Compare
    Choose a tag to compare
    Search for a tag

@pks-t pks-t released this Dec 10, 2019 · 57 commits to maint/v0.28 since this release

This is a security release fixing the following issues:

  • CVE-2019-1348: the fast-import stream command "feature
    export-marks=path" allows writing to arbitrary file paths. As
    libgit2 does not offer any interface for fast-import, it is not
    susceptible to this vulnerability.

  • CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
    alternate filesystreams, it is possible to cause submodules to
    be written into pre-existing directories during a recursive
    clone using git. As libgit2 rejects cloning into non-empty
    directories by default, it is not susceptible to this
    vulnerability.

  • CVE-2019-1350: recursive clones may lead to arbitrary remote
    code executing due to improper quoting of command line
    arguments. As libgit2 uses libssh2, which does not require us
    to perform command line parsing, it is not susceptible to this
    vulnerability.

  • CVE-2019-1351: Windows provides the ability to substitute
    drive letters with arbitrary letters, including multi-byte
    Unicode letters. To fix any potential issues arising from
    interpreting such paths as relative paths, we have extended
    detection of DOS drive prefixes to accomodate for such cases.

  • CVE-2019-1352: by using NTFS-style alternative file streams for
    the ".git" directory, it is possible to overwrite parts of the
    repository. While this has been fixed in the past for Windows,
    the same vulnerability may also exist on other systems that
    write to NTFS filesystems. We now reject any paths starting
    with ".git:" on all systems.

  • CVE-2019-1353: by using NTFS-style 8.3 short names, it was
    possible to write to the ".git" directory and thus overwrite
    parts of the repository, leading to possible remote code
    execution. While this problem was already fixed in the past for
    Windows, other systems accessing NTFS filesystems are
    vulnerable to this issue too. We now enable NTFS protecions by
    default on all systems to fix this attack vector.

  • CVE-2019-1354: on Windows, backslashes are not a valid part of
    a filename but are instead interpreted as directory separators.
    As other platforms allowed to use such paths, it was possible
    to write such invalid entries into a Git repository and was
    thus an attack vector to write into the ".git" dierctory. We
    now reject any entries starting with ".git" on all systems.

  • CVE-2019-1387: it is possible to let a submodule's git
    directory point into a sibling's submodule directory, which may
    result in overwriting parts of the Git repository and thus lead
    to arbitrary command execution. As libgit2 doesn't provide any
    way to do submodule clones natively, it is not susceptible to
    this vulnerability. Users of libgit2 that have implemented
    recursive submodule clones manually are encouraged to review
    their implementation for this vulnerability.

Assets 2
  • v0.27.10
  • 45c6187
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.27.10
  • 45c6187
  • Compare
    Choose a tag to compare
    Search for a tag

@pks-t pks-t released this Dec 10, 2019

This is a security release fixing the following issues:

  • CVE-2019-1348: the fast-import stream command "feature
    export-marks=path" allows writing to arbitrary file paths. As
    libgit2 does not offer any interface for fast-import, it is not
    susceptible to this vulnerability.

  • CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
    alternate filesystreams, it is possible to cause submodules to
    be written into pre-existing directories during a recursive
    clone using git. As libgit2 rejects cloning into non-empty
    directories by default, it is not susceptible to this
    vulnerability.

  • CVE-2019-1350: recursive clones may lead to arbitrary remote
    code executing due to improper quoting of command line
    arguments. As libgit2 uses libssh2, which does not require us
    to perform command line parsing, it is not susceptible to this
    vulnerability.

  • CVE-2019-1351: Windows provides the ability to substitute
    drive letters with arbitrary letters, including multi-byte
    Unicode letters. To fix any potential issues arising from
    interpreting such paths as relative paths, we have extended
    detection of DOS drive prefixes to accomodate for such cases.

  • CVE-2019-1352: by using NTFS-style alternative file streams for
    the ".git" directory, it is possible to overwrite parts of the
    repository. While this has been fixed in the past for Windows,
    the same vulnerability may also exist on other systems that
    write to NTFS filesystems. We now reject any paths starting
    with ".git:" on all systems.

  • CVE-2019-1353: by using NTFS-style 8.3 short names, it was
    possible to write to the ".git" directory and thus overwrite
    parts of the repository, leading to possible remote code
    execution. While this problem was already fixed in the past for
    Windows, other systems accessing NTFS filesystems are
    vulnerable to this issue too. We now enable NTFS protecions by
    default on all systems to fix this attack vector.

  • CVE-2019-1354: on Windows, backslashes are not a valid part of
    a filename but are instead interpreted as directory separators.
    As other platforms allowed to use such paths, it was possible
    to write such invalid entries into a Git repository and was
    thus an attack vector to write into the ".git" dierctory. We
    now reject any entries starting with ".git" on all systems.

  • CVE-2019-1387: it is possible to let a submodule's git
    directory point into a sibling's submodule directory, which may
    result in overwriting parts of the Git repository and thus lead
    to arbitrary command execution. As libgit2 doesn't provide any
    way to do submodule clones natively, it is not susceptible to
    this vulnerability. Users of libgit2 that have implemented
    recursive submodule clones manually are encouraged to review
    their implementation for this vulnerability.

Assets 2

@ethomson ethomson released this Aug 13, 2019 · 17 commits to maint/v0.27 since this release

This is a security release fixing the following issues:

  • A carefully constructed commit object with a very large number
    of parents may lead to potential out-of-bounds writes or
    potential denial of service.

  • The ProgramData configuration file is always read for compatibility
    with Git for Windows and Portable Git installations. The ProgramData
    location is not necessarily writable only by administrators, so we
    now ensure that the configuration file is owned by the administrator
    or the current user.

Assets 2

@ethomson ethomson released this Aug 13, 2019 · 74 commits to maint/v0.28 since this release

This is a security release fixing the following issues:

  • A carefully constructed commit object with a very large number
    of parents may lead to potential out-of-bounds writes or
    potential denial of service.

  • The ProgramData configuration file is always read for compatibility
    with Git for Windows and Portable Git installations. The ProgramData
    location is not necessarily writable only by administrators, so we
    now ensure that the configuration file is owned by the administrator
    or the current user.

Assets 2
  • v0.28.2
  • b3e1a56
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.28.2
  • b3e1a56
  • Compare
    Choose a tag to compare
    Search for a tag

@pks-t pks-t released this May 21, 2019 · 78 commits to maint/v0.28 since this release

This is a bugfix release with the following changes:

  • Fix include directory ordering when using bundled dependencies.

  • Fix infinite loop when searching for a non-existing repository with
    Windows-style paths including drive prefixes.

  • Fix symlinks to directories on Windows.

  • Fix paths with a trailing "/" not always being treated as
    directories when computing ignores.

  • Fix false negatives when computing ignores where ignore rules
    that are a prefix to a negative ignore rule exist.

  • Fix patches with CRLF line endings not being parsed correctly.

  • Fix segfault when parsing patches with file addition (deletion)
    where the added (deleted) file name contains a space.

  • Fix assertion failure when trying to write to a non-existent
    locked configuration file.

Assets 2
  • v0.28.1
  • 572e4d8
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.28.1
  • 572e4d8
  • Compare
    Choose a tag to compare
    Search for a tag

@ethomson ethomson released this Feb 14, 2019 · 99 commits to maint/v0.28 since this release

This is a bugfix release with the following change:

  • The deprecated functions (git_buf_free and the giterr_ family of functions) are now exported properly. In the v0.28 release, they were not given the correct external attributes and they did not have the correct linkage visibility in the v0.28 library.
Assets 2
You can’t perform that action at this time.