[pkgsrc/trunk]: pkgsrc/devel/libgit2 devel/libgit2: update to 0.27.5

[taca <taca%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/d409bb9e4f7c
branches:  trunk
changeset: 314094:d409bb9e4f7c
user:      taca <taca%pkgsrc.org@localhost>
date:      Thu Oct 18 14:43:01 2018 +0000

description:
devel/libgit2: update to 0.27.5

libgit2 0.27.5 (2018/10/5)

This is a security release fixing the following list of issues:

* Submodule URLs and paths with a leading "-" are now ignored.  This is due to
  the recently discovered CVE-2018-17456, which can lead to arbitrary code
  execution in upstream git.  While libgit2 itself is not vulnerable, it can
  be used to inject options in an implementation which performs a recursive
  clone by executing an external command.

* When running repack while doing repo writes, packfile_load__cb() could see
  some temporary files in the directory that were bigger than the usual, and
  makes memcmp overflow on the p->pack_name string.  This issue was reported
  and fixed by bisho.

* The configuration file parser used unbounded recursion to parse multiline
  variables, which could lead to a stack overflow.  The issue was reported by
  the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.

* The fix to the unbounded recursion introduced a memory leak in the config
  parser.  While this leak was never in a public release, the oss-fuzz project
  reported this as issue 10127.  The fix was implemented by Nelson Elhage and
  Patrick Steinhardt.

* When parsing "ok" packets received via the smart protocol, our parsing code
  did not correctly verify the bounds of the packets, which could result in a
  heap-buffer overflow.  The issue was reported by the oss-fuzz project, issue
  9749 and fixed by Patrick Steinhardt.

* The parsing code for the smart protocol has been tightened in general,
  fixing heap-buffer overflows when parsing the packet type as well as for
  "ACK" and "unpack" packets.  The issue was discovered and fixed by Patrick
  Steinhardt.

* Fixed potential integer overflows on platforms with 16 bit integers when
  parsing packets for the smart protocol.  The issue was discovered and fixed
  by Patrick Steinhardt.

* Fixed potential NULL pointer dereference when parsing configuration files
  which have "include.path" or "includeIf..path" statements without a value.

diffstat:

 devel/libgit2/Makefile |   4 ++--
 devel/libgit2/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (27 lines):

diff -r b8e0475e29d6 -r d409bb9e4f7c devel/libgit2/Makefile
--- a/devel/libgit2/Makefile    Thu Oct 18 14:40:07 2018 +0000
+++ b/devel/libgit2/Makefile    Thu Oct 18 14:43:01 2018 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.28 2018/09/23 15:11:42 taca Exp $
+# $NetBSD: Makefile,v 1.29 2018/10/18 14:43:01 taca Exp $
 
-DISTNAME=      libgit2-0.27.4
+DISTNAME=      libgit2-0.27.5
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libgit2/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}
diff -r b8e0475e29d6 -r d409bb9e4f7c devel/libgit2/distinfo
--- a/devel/libgit2/distinfo    Thu Oct 18 14:40:07 2018 +0000
+++ b/devel/libgit2/distinfo    Thu Oct 18 14:43:01 2018 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.13 2018/09/23 15:11:42 taca Exp $
+$NetBSD: distinfo,v 1.14 2018/10/18 14:43:01 taca Exp $
 
-SHA1 (libgit2-0.27.4.tar.gz) = 47392972e2c9689dbce0cf68b1e678fcc9915c2a
-RMD160 (libgit2-0.27.4.tar.gz) = 6efb878890e638d2f780f80351827a46b0a63510
-SHA512 (libgit2-0.27.4.tar.gz) = d27db86eb1b9f0d4057f8538ba1985ee76c3ca106e57d417fa9bff79d575f91a07ad28693112b58dc1d61d68116a82e6a145f12276158f2806b6c4964d741f61
-Size (libgit2-0.27.4.tar.gz) = 4772254 bytes
+SHA1 (libgit2-0.27.5.tar.gz) = dc339e9dd54316bd44b2769b52d5e30943e90dcf
+RMD160 (libgit2-0.27.5.tar.gz) = 864a350940288b3bdbdc90601cb24aed46ce7cbe
+SHA512 (libgit2-0.27.5.tar.gz) = 318b981456d55f60f8aa1897f1f70274329e48f09769b661eb4bbe76399071eca0fbc7deacb3191db16bc89dba8cc69a64adaf8cbc65e34a65b6e72ca122e21f
+Size (libgit2-0.27.5.tar.gz) = 4775158 bytes