pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/devel/libgit2 devel/libgit2: update to 0.27.4

branches:  trunk
changeset: 313086:53f6defd5eed
user:      taca <>
date:      Sun Sep 23 15:11:42 2018 +0000

devel/libgit2: update to 0.27.4


This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.

When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to `strchr`, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.

The issue was discovered by the oss-fuzz project, issue 9406.


This is a security release fixing out-of-bounds reads when
reading objects from a packfile. This corresponds to
CVE-2018-10887 and CVE-2018-10888, which were both reported by
Riccardo Schirone.

When packing objects into a single so-called packfile, objects
may not get stored as complete copies but instead as deltas
against another object "base". A specially crafted delta object
could trigger an integer overflow and thus bypass our input
validation, which may result in copying memory before or after
the base object into the final deflated object. This may lead to
objects containing copies of system memory being written into the
object database. As the hash of those objects cannot be easily
controlled by the attacker, it is unlikely that any of those
objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function
`git_apply__patch`. But as this function is not in use outside of
our test suite, it is not a possible attack vector.


 devel/libgit2/Makefile |   5 ++---
 devel/libgit2/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 8 deletions(-)

diffs (28 lines):

diff -r 7df89b66c2b6 -r 53f6defd5eed devel/libgit2/Makefile
--- a/devel/libgit2/Makefile    Sun Sep 23 15:10:40 2018 +0000
+++ b/devel/libgit2/Makefile    Sun Sep 23 15:11:42 2018 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.27 2018/08/16 18:54:41 adam Exp $
+# $NetBSD: Makefile,v 1.28 2018/09/23 15:11:42 taca Exp $
-DISTNAME=      libgit2-0.27.1
+DISTNAME=      libgit2-0.27.4
 CATEGORIES=    devel
diff -r 7df89b66c2b6 -r 53f6defd5eed devel/libgit2/distinfo
--- a/devel/libgit2/distinfo    Sun Sep 23 15:10:40 2018 +0000
+++ b/devel/libgit2/distinfo    Sun Sep 23 15:11:42 2018 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.12 2018/06/05 18:48:22 wiz Exp $
+$NetBSD: distinfo,v 1.13 2018/09/23 15:11:42 taca Exp $
-SHA1 (libgit2-0.27.1.tar.gz) = 2ce74b2dcec76ee0467a26c0cda8153bd29a2ad4
-RMD160 (libgit2-0.27.1.tar.gz) = 46dd959617292cebdbcb031ef49f62acd6e5e62f
-SHA512 (libgit2-0.27.1.tar.gz) = 4cdee4aec0f0c7b36226ee29276b8802d6b59817f95b1357f35225c23a8d6de70242b2dd9a5fb3b765c3242f4ed1848933e20fc24899071d8b443d46c43ce99d
-Size (libgit2-0.27.1.tar.gz) = 4765926 bytes
+SHA1 (libgit2-0.27.4.tar.gz) = 47392972e2c9689dbce0cf68b1e678fcc9915c2a
+RMD160 (libgit2-0.27.4.tar.gz) = 6efb878890e638d2f780f80351827a46b0a63510
+SHA512 (libgit2-0.27.4.tar.gz) = d27db86eb1b9f0d4057f8538ba1985ee76c3ca106e57d417fa9bff79d575f91a07ad28693112b58dc1d61d68116a82e6a145f12276158f2806b6c4964d741f61
+Size (libgit2-0.27.4.tar.gz) = 4772254 bytes

Home | Main Index | Thread Index | Old Index