Releases: libgit2/libgit2
libgit2 v0.26.8
This as a security release fixing the following list of issues:
-
The function family
git__strtol
is used to parse integers
from a buffer. As the functions do not take a buffer length as
argument, they will scan either until the end of the current
number or until a NUL byte is encountered. Many callers have
been misusing the function and called it on potentially
non-NUL-terminated buffers, resulting in possible out-of-bounds
reads. Callers have been fixed to usegit__strntol
functions
instead andgit__strtol
functions were removed. -
The function
git__strntol64
relied on the undefined behavior
of signed integer overflows. While the code tried to detect
such overflows after they have happened, this is unspecified
behavior and may lead to weird behavior on uncommon platforms. -
In the case where
git__strntol32
was unable to parse an
integer because it doesn't fit into anint32_t
, it printed an
error message containing the string that is currently being
parsed. The code didn't truncate the string though, which
caused it to print the complete string until a NUL byte is
encountered and not only the currently parsed number. In case
where the string was not NUL terminated, this could have lead
to an out-of-bounds read. -
When parsing tags, all unknown fields that appear before the
tag message are skipped. This skipping is done by using a plain
strstr(buffer, "\n\n")
to search for the two newlines that
separate tag fields from tag message. As it is not possible to
supply a buffer length tostrstr
, this call may skip over the
buffer's end and thus result in an out of bounds read. As
strstr
may return a pointer that is out of bounds, the
following computation ofbuffer_end - buffer
will overflow
and result in an allocation of an invalid length. Note that
when reading objects from the object database, we make sure to
always NUL terminate them, making the use ofstrstr
safe. -
When parsing the "encoding" field of a commit, we may perform
an out of bounds read due to usinggit__prefixcmp
instead of
git__prefixncmp
. This can result in the parsed commit object
containing uninitialized data in both its message encoding and
message fields. Note that when reading objects from the object
database, we make sure to always NUL terminate them, making the
use ofstrstr
safe.
libgit2 v0.27.5
This is a security release fixing the following list of issues:
-
Submodule URLs and paths with a leading "-" are now ignored.
This is due to the recently discovered CVE-2018-17456, which
can lead to arbitrary code execution in upstream git. While
libgit2 itself is not vulnerable, it can be used to inject
options in an implementation which performs a recursive clone
by executing an external command. -
When running repack while doing repo writes,
packfile_load__cb()
could see some temporary files in the
directory that were bigger than the usual, and makesmemcmp
overflow on thep->pack_name
string. This issue was reported
and fixed by bisho. -
The configuration file parser used unbounded recursion to parse
multiline variables, which could lead to a stack overflow. The
issue was reported by the oss-fuzz project, issue 10048 and
fixed by Nelson Elhage. -
The fix to the unbounded recursion introduced a memory leak in
the config parser. While this leak was never in a public
release, the oss-fuzz project reported this as issue 10127. The
fix was implemented by Nelson Elhage and Patrick Steinhardt. -
When parsing "ok" packets received via the smart protocol, our
parsing code did not correctly verify the bounds of the
packets, which could result in a heap-buffer overflow. The
issue was reported by the oss-fuzz project, issue 9749 and
fixed by Patrick Steinhardt. -
The parsing code for the smart protocol has been tightened in
general, fixing heap-buffer overflows when parsing the packet
type as well as for "ACK" and "unpack" packets. The issue was
discovered and fixed by Patrick Steinhardt. -
Fixed potential integer overflows on platforms with 16 bit
integers when parsing packets for the smart protocol. The issue
was discovered and fixed by Patrick Steinhardt. -
Fixed potential NULL pointer dereference when parsing
configuration files which have "include.path" or
"includeIf..path" statements without a value.
libgit2 v0.26.7
This is a security release fixing the following list of issues:
-
Submodule URLs and paths with a leading "-" are now ignored.
This is due to the recently discovered CVE-2018-17456, which
can lead to arbitrary code execution in upstream git. While
libgit2 itself is not vulnerable, it can be used to inject
options in an implementation which performs a recursive clone
by executing an external command. -
When running repack while doing repo writes,
packfile_load__cb()
could see some temporary files in the
directory that were bigger than the usual, and makesmemcmp
overflow on thep->pack_name
string. This issue was reported
and fixed by bisho. -
The configuration file parser used unbounded recursion to parse
multiline variables, which could lead to a stack overflow. The
issue was reported by the oss-fuzz project, issue 10048 and
fixed by Nelson Elhage. -
The fix to the unbounded recursion introduced a memory leak in
the config parser. While this leak was never in a public
release, the oss-fuzz project reported this as issue 10127. The
fix was implemented by Nelson Elhage and Patrick Steinhardt. -
When parsing "ok" packets received via the smart protocol, our
parsing code did not correctly verify the bounds of the
packets, which could result in a heap-buffer overflow. The
issue was reported by the oss-fuzz project, issue 9749 and
fixed by Patrick Steinhardt. -
The parsing code for the smart protocol has been tightened in
general, fixing heap-buffer overflows when parsing the packet
type as well as for "ACK" and "unpack" packets. The issue was
discovered and fixed by Patrick Steinhardt. -
Fixed potential integer overflows on platforms with 16 bit
integers when parsing packets for the smart protocol. The issue
was discovered and fixed by Patrick Steinhardt. -
Fixed potential NULL pointer dereference when parsing
configuration files which have "include.path" statements
without a value.
libgit2 v0.27.4
This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.
When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to strchr, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.
The issue was discovered by the oss-fuzz project, issue 9406.
libgit2 v0.26.6
This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.
When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to strchr, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.
The issue was discovered by the oss-fuzz project, issue 9406.
libgit2 v0.27.3
This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone.
When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object "base". A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.
Note that the error could also be triggered by the function git_apply__patch. But as this function is not in use outside of our test suite, it is not a possible attack vector.
libgit2 v0.26.5
This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone.
When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object "base". A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.
Note that the error could also be triggered by the function git_apply__patch. But as this function is not in use outside of our test suite, it is not a possible attack vector.
libgit2 v0.27.2
This is a bugfix release. It includes the following non-exclusive list of
improvements, which have been backported from the master branch:
-
Fix builds with LibreSSL 2.7.
-
Fix for
git_diff_status_char()
not returning the correct mapping for
GIT_DELTA_TYPECHANGE
. -
Fix for the submodules API not reporting errors when parsing the ".gitmodules"
file. -
Fix for accepting a ".gitmodules" file where two submodules have the same
path. -
Fix for hiding references in a graph walk not always limiting the graph
correctly. -
Fix for directory patterns with trailing spaces in attribute files not being
handled correctly. -
Fix SSH transports not properly disconnecting from the server.
-
Fix reading HEAD reflog in worktrees.
-
Update our copy of SHA1DC to fix errors with endianess on some platforms.
A list of commits since the last release follows:
b2e7d8c22 transports: ssh: disconnect session before freeing it
b89988c7f transports: ssh: replace deprecated function `libssh2_session_startup`
4d4a7dbf5 sha1dc: update to fix errors with endianess
59012bf41 odb: mempack: fix leaking objects when freeing mempacks
a714e836d transports: local: fix assert when fetching into repo with symrefs
b260fdc84 attr_file: fix handling of directory patterns with trailing spaces
e9ee7bd0a fixed stack smashing due to wrong size of struct stat on the stack on 32-bit systems with 64-bit file descriptor offsets enabled (added -D_FILE_OFFSET_BITS=64 when compiling the test suite)
e2a80124d refs: preserve the owning refdb when duping reference
b6623be06 tests: ensure worktrees' head have owners too
0f88adb65 Submodule API should report .gitmodules parse errors
07011e60c revwalk: fix uninteresting revs sometimes not limiting graphwalk
16b62dd4c diff: Add missing GIT_DELTA_TYPECHANGE -> 'T' mapping.
2569056d1 typo: Fixed a trivial typo in test function.
0f09d9f55 Fix build with LibreSSL 2.7
7fa6c8ce5 util: fix missing headers for MinGW environments
1cc6cc990 appveyor: disable DHE to avoid spurious failures
dad649871 appveyor: fix typo in registry key to disable DHE
a137cdbd9 refspec: check for valid parameters in git_refspec__dwim_one
96329606d worktree: Read worktree specific reflog for HEAD
2fe887e6f remote: repo is optional here
8fa0b34bd local: fix a leaking reference when iterating over a symref
b2f3ff567 worktree: fix calloc of the wrong object type
0c8ff50fe cmake: resolve libraries found by pkg-config
f2e5c092e cmake: remove now-useless LIBGIT2_LIBDIRS handling
7392799dd submodule: detect duplicated submodule paths
358651170 tests: submodule: do not rely on config iteration order
0818adece CHANGELOG.md: update for release v0.27.2
853ef86ac version: bump soversion to v0.27.2
libgit2 v0.26.4
This is a security release fixing insufficient validation of submodule names (CVE-2018-11235, reported by Etienne Stalmans).
While submodule names come from the untrusted ".gitmodules" file, we blindly append the name to $GIT_DIR/modules to construct the final path of the submodule repository. In case the name contains e.g. ../, an adversary would be able to escape your repository and write data at arbitrary paths. In accordance with git, we now enforce some rules for submodule names which will cause libgit2 to ignore these malicious names.
libgit2 is not susceptible to CVE-2018-11233.
libgit2 v0.27.1
This is a security release fixing insufficient validation of submodule names (CVE-2018-11235, reported by Etienne Stalmans).
While submodule names come from the untrusted ".gitmodules" file, we blindly append the name to $GIT_DIR/modules
to construct the final path of the submodule repository. In case the name contains e.g. ../
, an adversary would be able to escape your repository and write data at arbitrary paths. In accordance with git, we now enforce some rules for submodule names which will cause libgit2 to ignore these malicious names.
libgit2 is not susceptible to CVE-2018-11233.