@pks-t pks-t released this Mar 8, 2018 · 245 commits to maint/v0.26 since this release

Assets 2

This is a security release fixing memory handling issues when reading crafted
repository index files. The issues allow for possible denial of service due to
allocation of large memory and out-of-bound reads.

As the index is never transferred via the network, exploitation requires an
attacker to have access to the local repository.

A list of commits since the last follows:

01b5a1612 CHANGELOG: udpate for v0.26.2
6f4d04b52 index: error out on unreasonable prefix-compressed path lengths
6ddd286e9 index: fix out-of-bounds read with invalid index entry prefix length
b6756821d index: convert `read_entry` to return entry size via an out-param