From: Nicolas Cavallari Date: Mon, 16 Dec 2019 11:53:59 +0000 (+0100) Subject: package/libgit2: security bump to version 0.28.4 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=818f2be00bc23180943b91e69d8cf820a6cf4bfb;p=buildroot.git package/libgit2: security bump to version 0.28.4 Fixes the following CVE: - CVE-2019-1351: Windows provides the ability to substitute drive letters with arbitrary letters, including multi-byte Unicode letters. To fix any potential issues arising from interpreting such paths as relative paths, we have extended detection of DOS drive prefixes to accomodate for such cases. - CVE-2019-1352: by using NTFS-style alternative file streams for the ".git" directory, it is possible to overwrite parts of the repository. While this has been fixed in the past for Windows, the same vulnerability may also exist on other systems that write to NTFS filesystems. We now reject any paths starting with ".git:" on all systems. - CVE-2019-1353: by using NTFS-style 8.3 short names, it was possible to write to the ".git" directory and thus overwrite parts of the repository, leading to possible remote code execution. While this problem was already fixed in the past for Windows, other systems accessing NTFS filesystems are vulnerable to this issue too. We now enable NTFS protecions by default on all systems to fix this attack vector. - CVE-2019-1354: on Windows, backslashes are not a valid part of a filename but are instead interpreted as directory separators. As other platforms allowed to use such paths, it was possible to write such invalid entries into a Git repository and was thus an attack vector to write into the ".git" dierctory. We now reject any entries starting with ".git" on all systems. libgit2 is not affected by these git CVE: - CVE-2019-1348: the fast-import stream command "feature export-marks=path" allows writing to arbitrary file paths. - CVE-2019-1349: by using NTFS 8.3 short names, backslashes or alternate filesystreams, it is possible to cause submodules to be written into pre-existing directories during a recursive clone using git. - CVE-2019-1350: recursive clones may lead to arbitrary remote code executing due to improper quoting of command line arguments. - CVE-2019-1387: it is possible to let a submodule's git directory point into a sibling's submodule directory, which may result in overwriting parts of the Git repository and thus lead to arbitrary command execution. As libgit2 doesn't provide any way to do submodule clones natively, it is not susceptible to this vulnerability. Users of libgit2 that have implemented recursive submodule clones manually are encouraged to review their implementation for this vulnerability. Signed-off-by: Nicolas Cavallari Signed-off-by: Peter Korsgaard --- diff --git a/package/libgit2/libgit2.hash b/package/libgit2/libgit2.hash index f445e4cf0f..d4912c0327 100644 --- a/package/libgit2/libgit2.hash +++ b/package/libgit2/libgit2.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 ee5344730fe11ce7c86646e19c2d257757be293f5a567548d398fb3af8b8e53b libgit2-0.28.3.tar.gz +sha256 30f3877469d09f2e4a21be933b4e2800560d16646028dd800744dc5f7fb0c749 libgit2-0.28.4.tar.gz sha256 d9a8038088df84fde493fa33a0f1e537252eeb9642122aa4b862690197152813 COPYING diff --git a/package/libgit2/libgit2.mk b/package/libgit2/libgit2.mk index e4d887d9b2..909fcb83f0 100644 --- a/package/libgit2/libgit2.mk +++ b/package/libgit2/libgit2.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBGIT2_VERSION = 0.28.3 +LIBGIT2_VERSION = 0.28.4 LIBGIT2_SITE = $(call github,libgit2,libgit2,v$(LIBGIT2_VERSION)) LIBGIT2_LICENSE = GPL-2.0 with linking exception LIBGIT2_LICENSE_FILES = COPYING