libgit2 v0.26.8

This as a security release fixing the following list of issues:

• The function family git__strtol is used to parse integers
  from a buffer. As the functions do not take a buffer length as
  argument, they will scan either until the end of the current
  number or until a NUL byte is encountered. Many callers have
  been misusing the function and called it on potentially
  non-NUL-terminated buffers, resulting in possible out-of-bounds
  reads. Callers have been fixed to use git__strntol functions
  instead and git__strtol functions were removed.

• The function git__strntol64 relied on the undefined behavior
  of signed integer overflows. While the code tried to detect
  such overflows after they have happened, this is unspecified
  behavior and may lead to weird behavior on uncommon platforms.

• In the case where git__strntol32 was unable to parse an
  integer because it doesn't fit into an int32_t, it printed an
  error message containing the string that is currently being
  parsed. The code didn't truncate the string though, which
  caused it to print the complete string until a NUL byte is
  encountered and not only the currently parsed number. In case
  where the string was not NUL terminated, this could have lead
  to an out-of-bounds read.

• When parsing tags, all unknown fields that appear before the
  tag message are skipped. This skipping is done by using a plain
  strstr(buffer, "\n\n") to search for the two newlines that
  separate tag fields from tag message. As it is not possible to
  supply a buffer length to strstr, this call may skip over the
  buffer's end and thus result in an out of bounds read. As
  strstr may return a pointer that is out of bounds, the
  following computation of buffer_end - buffer will overflow
  and result in an allocation of an invalid length. Note that
  when reading objects from the object database, we make sure to
  always NUL terminate them, making the use of strstr safe.

• When parsing the "encoding" field of a commit, we may perform
  an out of bounds read due to using git__prefixcmp instead of
  git__prefixncmp. This can result in the parsed commit object
  containing uninitialized data in both its message encoding and
  message fields. Note that when reading objects from the object
  database, we make sure to always NUL terminate them, making the
  use of strstr safe.

libgit2 v0.27.5

This is a security release fixing the following list of issues:

• Submodule URLs and paths with a leading "-" are now ignored.
  This is due to the recently discovered CVE-2018-17456, which
  can lead to arbitrary code execution in upstream git. While
  libgit2 itself is not vulnerable, it can be used to inject
  options in an implementation which performs a recursive clone
  by executing an external command.

• When running repack while doing repo writes,
  packfile_load__cb() could see some temporary files in the
  directory that were bigger than the usual, and makes memcmp
  overflow on the p->pack_name string. This issue was reported
  and fixed by bisho.

• The configuration file parser used unbounded recursion to parse
  multiline variables, which could lead to a stack overflow. The
  issue was reported by the oss-fuzz project, issue 10048 and
  fixed by Nelson Elhage.

• The fix to the unbounded recursion introduced a memory leak in
  the config parser. While this leak was never in a public
  release, the oss-fuzz project reported this as issue 10127. The
  fix was implemented by Nelson Elhage and Patrick Steinhardt.

• When parsing "ok" packets received via the smart protocol, our
  parsing code did not correctly verify the bounds of the
  packets, which could result in a heap-buffer overflow. The
  issue was reported by the oss-fuzz project, issue 9749 and
  fixed by Patrick Steinhardt.

• The parsing code for the smart protocol has been tightened in
  general, fixing heap-buffer overflows when parsing the packet
  type as well as for "ACK" and "unpack" packets. The issue was
  discovered and fixed by Patrick Steinhardt.

• Fixed potential integer overflows on platforms with 16 bit
  integers when parsing packets for the smart protocol. The issue
  was discovered and fixed by Patrick Steinhardt.

• Fixed potential NULL pointer dereference when parsing
  configuration files which have "include.path" or
  "includeIf..path" statements without a value.

libgit2 v0.26.7

This is a security release fixing the following list of issues:

• Submodule URLs and paths with a leading "-" are now ignored.
  This is due to the recently discovered CVE-2018-17456, which
  can lead to arbitrary code execution in upstream git. While
  libgit2 itself is not vulnerable, it can be used to inject
  options in an implementation which performs a recursive clone
  by executing an external command.

• When running repack while doing repo writes,
  packfile_load__cb() could see some temporary files in the
  directory that were bigger than the usual, and makes memcmp
  overflow on the p->pack_name string. This issue was reported
  and fixed by bisho.

• The configuration file parser used unbounded recursion to parse
  multiline variables, which could lead to a stack overflow. The
  issue was reported by the oss-fuzz project, issue 10048 and
  fixed by Nelson Elhage.

• The fix to the unbounded recursion introduced a memory leak in
  the config parser. While this leak was never in a public
  release, the oss-fuzz project reported this as issue 10127. The
  fix was implemented by Nelson Elhage and Patrick Steinhardt.

• When parsing "ok" packets received via the smart protocol, our
  parsing code did not correctly verify the bounds of the
  packets, which could result in a heap-buffer overflow. The
  issue was reported by the oss-fuzz project, issue 9749 and
  fixed by Patrick Steinhardt.

• The parsing code for the smart protocol has been tightened in
  general, fixing heap-buffer overflows when parsing the packet
  type as well as for "ACK" and "unpack" packets. The issue was
  discovered and fixed by Patrick Steinhardt.

• Fixed potential integer overflows on platforms with 16 bit
  integers when parsing packets for the smart protocol. The issue
  was discovered and fixed by Patrick Steinhardt.

• Fixed potential NULL pointer dereference when parsing
  configuration files which have "include.path" statements
  without a value.

libgit2 v0.27.4

This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.

When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to strchr, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.

The issue was discovered by the oss-fuzz project, issue 9406.

libgit2 v0.26.6

This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.

When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to strchr, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.

The issue was discovered by the oss-fuzz project, issue 9406.

libgit2 v0.27.3

This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone.

When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object "base". A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function git_apply__patch. But as this function is not in use outside of our test suite, it is not a possible attack vector.

libgit2 v0.26.5

This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone.

When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object "base". A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function git_apply__patch. But as this function is not in use outside of our test suite, it is not a possible attack vector.

libgit2 v0.27.2

This is a bugfix release. It includes the following non-exclusive list of
improvements, which have been backported from the master branch:

• Fix builds with LibreSSL 2.7.

• Fix for git_diff_status_char() not returning the correct mapping for
  GIT_DELTA_TYPECHANGE.

• Fix for the submodules API not reporting errors when parsing the ".gitmodules"
  file.

• Fix for accepting a ".gitmodules" file where two submodules have the same
  path.

• Fix for hiding references in a graph walk not always limiting the graph
  correctly.

• Fix for directory patterns with trailing spaces in attribute files not being
  handled correctly.

• Fix SSH transports not properly disconnecting from the server.

• Fix reading HEAD reflog in worktrees.

• Update our copy of SHA1DC to fix errors with endianess on some platforms.

A list of commits since the last release follows:

b2e7d8c22 transports: ssh: disconnect session before freeing it
b89988c7f transports: ssh: replace deprecated function `libssh2_session_startup`
4d4a7dbf5 sha1dc: update to fix errors with endianess
59012bf41 odb: mempack: fix leaking objects when freeing mempacks
a714e836d transports: local: fix assert when fetching into repo with symrefs
b260fdc84 attr_file: fix handling of directory patterns with trailing spaces
e9ee7bd0a fixed stack smashing due to wrong size of struct stat on the stack on 32-bit systems with 64-bit file descriptor offsets enabled (added -D_FILE_OFFSET_BITS=64 when compiling the test suite)
e2a80124d refs: preserve the owning refdb when duping reference
b6623be06 tests: ensure worktrees' head have owners too
0f88adb65 Submodule API should report .gitmodules parse errors
07011e60c revwalk: fix uninteresting revs sometimes not limiting graphwalk
16b62dd4c diff: Add missing GIT_DELTA_TYPECHANGE -> 'T' mapping.
2569056d1 typo: Fixed a trivial typo in test function.
0f09d9f55 Fix build with LibreSSL 2.7
7fa6c8ce5 util: fix missing headers for MinGW environments
1cc6cc990 appveyor: disable DHE to avoid spurious failures
dad649871 appveyor: fix typo in registry key to disable DHE
a137cdbd9 refspec: check for valid parameters in git_refspec__dwim_one
96329606d worktree: Read worktree specific reflog for HEAD
2fe887e6f remote: repo is optional here
8fa0b34bd local: fix a leaking reference when iterating over a symref
b2f3ff567 worktree: fix calloc of the wrong object type
0c8ff50fe cmake: resolve libraries found by pkg-config
f2e5c092e cmake: remove now-useless LIBGIT2_LIBDIRS handling
7392799dd submodule: detect duplicated submodule paths
358651170 tests: submodule: do not rely on config iteration order
0818adece CHANGELOG.md: update for release v0.27.2
853ef86ac version: bump soversion to v0.27.2

libgit2 v0.26.4

This is a security release fixing insufficient validation of submodule names (CVE-2018-11235, reported by Etienne Stalmans).

While submodule names come from the untrusted ".gitmodules" file, we blindly append the name to $GIT_DIR/modules to construct the final path of the submodule repository. In case the name contains e.g. ../, an adversary would be able to escape your repository and write data at arbitrary paths. In accordance with git, we now enforce some rules for submodule names which will cause libgit2 to ignore these malicious names.

libgit2 is not susceptible to CVE-2018-11233.

libgit2 v0.27.1

This is a security release fixing insufficient validation of submodule names (CVE-2018-11235, reported by Etienne Stalmans).

While submodule names come from the untrusted ".gitmodules" file, we blindly append the name to $GIT_DIR/modules to construct the final path of the submodule repository. In case the name contains e.g. ../, an adversary would be able to escape your repository and write data at arbitrary paths. In accordance with git, we now enforce some rules for submodule names which will cause libgit2 to ignore these malicious names.

libgit2 is not susceptible to CVE-2018-11233.