CVS commit: pkgsrc/devel/libgit2

["Takahiro Kambe" <taca%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   taca
Date:           Sun Sep 23 15:11:43 UTC 2018

Modified Files:
        pkgsrc/devel/libgit2: Makefile distinfo

Log Message:
devel/libgit2: update to 0.27.4

v0.27.4
-------

This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.

When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to `strchr`, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.

The issue was discovered by the oss-fuzz project, issue 9406.

v0.27.3
-------

This is a security release fixing out-of-bounds reads when
reading objects from a packfile. This corresponds to
CVE-2018-10887 and CVE-2018-10888, which were both reported by
Riccardo Schirone.

When packing objects into a single so-called packfile, objects
may not get stored as complete copies but instead as deltas
against another object "base". A specially crafted delta object
could trigger an integer overflow and thus bypass our input
validation, which may result in copying memory before or after
the base object into the final deflated object. This may lead to
objects containing copies of system memory being written into the
object database. As the hash of those objects cannot be easily
controlled by the attacker, it is unlikely that any of those
objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function
`git_apply__patch`. But as this function is not in use outside of
our test suite, it is not a possible attack vector.


To generate a diff of this commit:
cvs rdiff -u -r1.27 -r1.28 pkgsrc/devel/libgit2/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/devel/libgit2/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/libgit2/Makefile
diff -u pkgsrc/devel/libgit2/Makefile:1.27 pkgsrc/devel/libgit2/Makefile:1.28
--- pkgsrc/devel/libgit2/Makefile:1.27  Thu Aug 16 18:54:41 2018
+++ pkgsrc/devel/libgit2/Makefile       Sun Sep 23 15:11:42 2018
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.27 2018/08/16 18:54:41 adam Exp $
+# $NetBSD: Makefile,v 1.28 2018/09/23 15:11:42 taca Exp $
 
-DISTNAME=      libgit2-0.27.1
-PKGREVISION=   1
+DISTNAME=      libgit2-0.27.4
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libgit2/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}

Index: pkgsrc/devel/libgit2/distinfo
diff -u pkgsrc/devel/libgit2/distinfo:1.12 pkgsrc/devel/libgit2/distinfo:1.13
--- pkgsrc/devel/libgit2/distinfo:1.12  Tue Jun  5 18:48:22 2018
+++ pkgsrc/devel/libgit2/distinfo       Sun Sep 23 15:11:42 2018
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.12 2018/06/05 18:48:22 wiz Exp $
+$NetBSD: distinfo,v 1.13 2018/09/23 15:11:42 taca Exp $
 
-SHA1 (libgit2-0.27.1.tar.gz) = 2ce74b2dcec76ee0467a26c0cda8153bd29a2ad4
-RMD160 (libgit2-0.27.1.tar.gz) = 46dd959617292cebdbcb031ef49f62acd6e5e62f
-SHA512 (libgit2-0.27.1.tar.gz) = 4cdee4aec0f0c7b36226ee29276b8802d6b59817f95b1357f35225c23a8d6de70242b2dd9a5fb3b765c3242f4ed1848933e20fc24899071d8b443d46c43ce99d
-Size (libgit2-0.27.1.tar.gz) = 4765926 bytes
+SHA1 (libgit2-0.27.4.tar.gz) = 47392972e2c9689dbce0cf68b1e678fcc9915c2a
+RMD160 (libgit2-0.27.4.tar.gz) = 6efb878890e638d2f780f80351827a46b0a63510
+SHA512 (libgit2-0.27.4.tar.gz) = d27db86eb1b9f0d4057f8538ba1985ee76c3ca106e57d417fa9bff79d575f91a07ad28693112b58dc1d61d68116a82e6a145f12276158f2806b6c4964d741f61
+Size (libgit2-0.27.4.tar.gz) = 4772254 bytes