pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/devel/libgit2 devel/libgit2: update to 0.27.5
details: https://anonhg.NetBSD.org/pkgsrc/rev/d409bb9e4f7c
branches: trunk
changeset: 314094:d409bb9e4f7c
user: taca <taca%pkgsrc.org@localhost>
date: Thu Oct 18 14:43:01 2018 +0000
description:
devel/libgit2: update to 0.27.5
libgit2 0.27.5 (2018/10/5)
This is a security release fixing the following list of issues:
* Submodule URLs and paths with a leading "-" are now ignored. This is due to
the recently discovered CVE-2018-17456, which can lead to arbitrary code
execution in upstream git. While libgit2 itself is not vulnerable, it can
be used to inject options in an implementation which performs a recursive
clone by executing an external command.
* When running repack while doing repo writes, packfile_load__cb() could see
some temporary files in the directory that were bigger than the usual, and
makes memcmp overflow on the p->pack_name string. This issue was reported
and fixed by bisho.
* The configuration file parser used unbounded recursion to parse multiline
variables, which could lead to a stack overflow. The issue was reported by
the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.
* The fix to the unbounded recursion introduced a memory leak in the config
parser. While this leak was never in a public release, the oss-fuzz project
reported this as issue 10127. The fix was implemented by Nelson Elhage and
Patrick Steinhardt.
* When parsing "ok" packets received via the smart protocol, our parsing code
did not correctly verify the bounds of the packets, which could result in a
heap-buffer overflow. The issue was reported by the oss-fuzz project, issue
9749 and fixed by Patrick Steinhardt.
* The parsing code for the smart protocol has been tightened in general,
fixing heap-buffer overflows when parsing the packet type as well as for
"ACK" and "unpack" packets. The issue was discovered and fixed by Patrick
Steinhardt.
* Fixed potential integer overflows on platforms with 16 bit integers when
parsing packets for the smart protocol. The issue was discovered and fixed
by Patrick Steinhardt.
* Fixed potential NULL pointer dereference when parsing configuration files
which have "include.path" or "includeIf..path" statements without a value.
diffstat:
devel/libgit2/Makefile | 4 ++--
devel/libgit2/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (27 lines):
diff -r b8e0475e29d6 -r d409bb9e4f7c devel/libgit2/Makefile
--- a/devel/libgit2/Makefile Thu Oct 18 14:40:07 2018 +0000
+++ b/devel/libgit2/Makefile Thu Oct 18 14:43:01 2018 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.28 2018/09/23 15:11:42 taca Exp $
+# $NetBSD: Makefile,v 1.29 2018/10/18 14:43:01 taca Exp $
-DISTNAME= libgit2-0.27.4
+DISTNAME= libgit2-0.27.5
CATEGORIES= devel
MASTER_SITES= ${MASTER_SITE_GITHUB:=libgit2/}
GITHUB_TAG= v${PKGVERSION_NOREV}
diff -r b8e0475e29d6 -r d409bb9e4f7c devel/libgit2/distinfo
--- a/devel/libgit2/distinfo Thu Oct 18 14:40:07 2018 +0000
+++ b/devel/libgit2/distinfo Thu Oct 18 14:43:01 2018 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.13 2018/09/23 15:11:42 taca Exp $
+$NetBSD: distinfo,v 1.14 2018/10/18 14:43:01 taca Exp $
-SHA1 (libgit2-0.27.4.tar.gz) = 47392972e2c9689dbce0cf68b1e678fcc9915c2a
-RMD160 (libgit2-0.27.4.tar.gz) = 6efb878890e638d2f780f80351827a46b0a63510
-SHA512 (libgit2-0.27.4.tar.gz) = d27db86eb1b9f0d4057f8538ba1985ee76c3ca106e57d417fa9bff79d575f91a07ad28693112b58dc1d61d68116a82e6a145f12276158f2806b6c4964d741f61
-Size (libgit2-0.27.4.tar.gz) = 4772254 bytes
+SHA1 (libgit2-0.27.5.tar.gz) = dc339e9dd54316bd44b2769b52d5e30943e90dcf
+RMD160 (libgit2-0.27.5.tar.gz) = 864a350940288b3bdbdc90601cb24aed46ce7cbe
+SHA512 (libgit2-0.27.5.tar.gz) = 318b981456d55f60f8aa1897f1f70274329e48f09769b661eb4bbe76399071eca0fbc7deacb3191db16bc89dba8cc69a64adaf8cbc65e34a65b6e72ca122e21f
+Size (libgit2-0.27.5.tar.gz) = 4775158 bytes
Home |
Main Index |
Thread Index |
Old Index