CVS commit: [pkgsrc-2018Q3] pkgsrc/devel/libgit2

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: [pkgsrc-2018Q3] pkgsrc/devel/libgit2
From: "S.P.Zeidler" <spz%netbsd.org@localhost>
Date: Sat, 20 Oct 2018 16:18:20 +0000

Module Name:    pkgsrc
Committed By:   spz
Date:           Sat Oct 20 16:18:20 UTC 2018

Modified Files:
        pkgsrc/devel/libgit2 [pkgsrc-2018Q3]: Makefile distinfo

Log Message:
Pullup ticket #5848 - requested by bsiegert
devel/libgit2: security update

Revisions pulled up:
- devel/libgit2/Makefile                                        1.29
- devel/libgit2/distinfo                                        1.14

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Thu Oct 18 14:43:01 UTC 2018

   Modified Files:
           pkgsrc/devel/libgit2: Makefile distinfo

   Log Message:
   devel/libgit2: update to 0.27.5

   libgit2 0.27.5 (2018/10/5)

   This is a security release fixing the following list of issues:

   * Submodule URLs and paths with a leading "-" are now ignored.  This is due to
     the recently discovered CVE-2018-17456, which can lead to arbitrary code
     execution in upstream git.  While libgit2 itself is not vulnerable, it can
     be used to inject options in an implementation which performs a recursive
     clone by executing an external command.

   * When running repack while doing repo writes, packfile_load__cb() could see
     some temporary files in the directory that were bigger than the usual, and
     makes memcmp overflow on the p->pack_name string.  This issue was reported
     and fixed by bisho.

   * The configuration file parser used unbounded recursion to parse multiline
     variables, which could lead to a stack overflow.  The issue was reported by
     the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.

   * The fix to the unbounded recursion introduced a memory leak in the config
     parser.  While this leak was never in a public release, the oss-fuzz project
     reported this as issue 10127.  The fix was implemented by Nelson Elhage and
     Patrick Steinhardt.

   * When parsing "ok" packets received via the smart protocol, our parsing code
     did not correctly verify the bounds of the packets, which could result in a
     heap-buffer overflow.  The issue was reported by the oss-fuzz project, issue
     9749 and fixed by Patrick Steinhardt.

   * The parsing code for the smart protocol has been tightened in general,
     fixing heap-buffer overflows when parsing the packet type as well as for
     "ACK" and "unpack" packets.  The issue was discovered and fixed by Patrick
     Steinhardt.

   * Fixed potential integer overflows on platforms with 16 bit integers when
     parsing packets for the smart protocol.  The issue was discovered and fixed
     by Patrick Steinhardt.

   * Fixed potential NULL pointer dereference when parsing configuration files
     which have "include.path" or "includeIf..path" statements without a value.

   To generate a diff of this commit:
   cvs rdiff -u -r1.28 -r1.29 pkgsrc/devel/libgit2/Makefile
   cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libgit2/distinfo


To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.2.1 pkgsrc/devel/libgit2/Makefile
cvs rdiff -u -r1.13 -r1.13.2.1 pkgsrc/devel/libgit2/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/libgit2/Makefile
diff -u pkgsrc/devel/libgit2/Makefile:1.28 pkgsrc/devel/libgit2/Makefile:1.28.2.1
--- pkgsrc/devel/libgit2/Makefile:1.28  Sun Sep 23 15:11:42 2018
+++ pkgsrc/devel/libgit2/Makefile       Sat Oct 20 16:18:20 2018
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.28 2018/09/23 15:11:42 taca Exp $
+# $NetBSD: Makefile,v 1.28.2.1 2018/10/20 16:18:20 spz Exp $
 
-DISTNAME=      libgit2-0.27.4
+DISTNAME=      libgit2-0.27.5
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libgit2/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}

Index: pkgsrc/devel/libgit2/distinfo
diff -u pkgsrc/devel/libgit2/distinfo:1.13 pkgsrc/devel/libgit2/distinfo:1.13.2.1
--- pkgsrc/devel/libgit2/distinfo:1.13  Sun Sep 23 15:11:42 2018
+++ pkgsrc/devel/libgit2/distinfo       Sat Oct 20 16:18:20 2018
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.13 2018/09/23 15:11:42 taca Exp $
+$NetBSD: distinfo,v 1.13.2.1 2018/10/20 16:18:20 spz Exp $
 
-SHA1 (libgit2-0.27.4.tar.gz) = 47392972e2c9689dbce0cf68b1e678fcc9915c2a
-RMD160 (libgit2-0.27.4.tar.gz) = 6efb878890e638d2f780f80351827a46b0a63510
-SHA512 (libgit2-0.27.4.tar.gz) = d27db86eb1b9f0d4057f8538ba1985ee76c3ca106e57d417fa9bff79d575f91a07ad28693112b58dc1d61d68116a82e6a145f12276158f2806b6c4964d741f61
-Size (libgit2-0.27.4.tar.gz) = 4772254 bytes
+SHA1 (libgit2-0.27.5.tar.gz) = dc339e9dd54316bd44b2769b52d5e30943e90dcf
+RMD160 (libgit2-0.27.5.tar.gz) = 864a350940288b3bdbdc90601cb24aed46ce7cbe
+SHA512 (libgit2-0.27.5.tar.gz) = 318b981456d55f60f8aa1897f1f70274329e48f09769b661eb4bbe76399071eca0fbc7deacb3191db16bc89dba8cc69a64adaf8cbc65e34a65b6e72ca122e21f
+Size (libgit2-0.27.5.tar.gz) = 4775158 bytes

Prev by Date: CVS commit: [pkgsrc-2018Q3] pkgsrc/devel/patch
Next by Date: CVS commit: [pkgsrc-2018Q3] pkgsrc/devel
Previous by Thread: CVS commit: [pkgsrc-2018Q3] pkgsrc/devel/patch
Next by Thread: CVS commit: [pkgsrc-2018Q3] pkgsrc/devel
Indexes:

Home | Main Index | Thread Index | Old Index