diff options
| author | spz <spz@pkgsrc.org> | 2018-10-20 16:18:20 +0000 |
|---|---|---|
| committer | spz <spz@pkgsrc.org> | 2018-10-20 16:18:20 +0000 |
| commit | 5bf4b461eb499e836cb35b92edf59e27f45f7f50 (patch) | |
| tree | 9500dacbec35e7626321e2b13dc90652d316c621 | |
| parent | c15e0d3996100556d904c727048b90093d720759 (diff) | |
| download | pkgsrc-5bf4b461eb499e836cb35b92edf59e27f45f7f50.tar.gz | |
Pullup ticket #5848 - requested by bsiegert
devel/libgit2: security update
Revisions pulled up:
- devel/libgit2/Makefile 1.29
- devel/libgit2/distinfo 1.14
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Thu Oct 18 14:43:01 UTC 2018
Modified Files:
pkgsrc/devel/libgit2: Makefile distinfo
Log Message:
devel/libgit2: update to 0.27.5
libgit2 0.27.5 (2018/10/5)
This is a security release fixing the following list of issues:
* Submodule URLs and paths with a leading "-" are now ignored. This is due to
the recently discovered CVE-2018-17456, which can lead to arbitrary code
execution in upstream git. While libgit2 itself is not vulnerable, it can
be used to inject options in an implementation which performs a recursive
clone by executing an external command.
* When running repack while doing repo writes, packfile_load__cb() could see
some temporary files in the directory that were bigger than the usual, and
makes memcmp overflow on the p->pack_name string. This issue was reported
and fixed by bisho.
* The configuration file parser used unbounded recursion to parse multiline
variables, which could lead to a stack overflow. The issue was reported by
the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.
* The fix to the unbounded recursion introduced a memory leak in the config
parser. While this leak was never in a public release, the oss-fuzz project
reported this as issue 10127. The fix was implemented by Nelson Elhage and
Patrick Steinhardt.
* When parsing "ok" packets received via the smart protocol, our parsing code
did not correctly verify the bounds of the packets, which could result in a
heap-buffer overflow. The issue was reported by the oss-fuzz project, issue
9749 and fixed by Patrick Steinhardt.
* The parsing code for the smart protocol has been tightened in general,
fixing heap-buffer overflows when parsing the packet type as well as for
"ACK" and "unpack" packets. The issue was discovered and fixed by Patrick
Steinhardt.
* Fixed potential integer overflows on platforms with 16 bit integers when
parsing packets for the smart protocol. The issue was discovered and fixed
by Patrick Steinhardt.
* Fixed potential NULL pointer dereference when parsing configuration files
which have "include.path" or "includeIf..path" statements without a value.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 pkgsrc/devel/libgit2/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libgit2/distinfo
| -rw-r--r-- | devel/libgit2/Makefile | 4 | ||||
| -rw-r--r-- | devel/libgit2/distinfo | 10 |
2 files changed, 7 insertions, 7 deletions
diff --git a/devel/libgit2/Makefile b/devel/libgit2/Makefile index 714d29a30f6..2604a3e2d15 100644 --- a/devel/libgit2/Makefile +++ b/devel/libgit2/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.28 2018/09/23 15:11:42 taca Exp $ +# $NetBSD: Makefile,v 1.28.2.1 2018/10/20 16:18:20 spz Exp $ -DISTNAME= libgit2-0.27.4 +DISTNAME= libgit2-0.27.5 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_GITHUB:=libgit2/} GITHUB_TAG= v${PKGVERSION_NOREV} diff --git a/devel/libgit2/distinfo b/devel/libgit2/distinfo index 3f3782825eb..de048aa47bb 100644 --- a/devel/libgit2/distinfo +++ b/devel/libgit2/distinfo @@ -1,6 +1,6 @@ -$NetBSD: distinfo,v 1.13 2018/09/23 15:11:42 taca Exp $ +$NetBSD: distinfo,v 1.13.2.1 2018/10/20 16:18:20 spz Exp $ -SHA1 (libgit2-0.27.4.tar.gz) = 47392972e2c9689dbce0cf68b1e678fcc9915c2a -RMD160 (libgit2-0.27.4.tar.gz) = 6efb878890e638d2f780f80351827a46b0a63510 -SHA512 (libgit2-0.27.4.tar.gz) = d27db86eb1b9f0d4057f8538ba1985ee76c3ca106e57d417fa9bff79d575f91a07ad28693112b58dc1d61d68116a82e6a145f12276158f2806b6c4964d741f61 -Size (libgit2-0.27.4.tar.gz) = 4772254 bytes +SHA1 (libgit2-0.27.5.tar.gz) = dc339e9dd54316bd44b2769b52d5e30943e90dcf +RMD160 (libgit2-0.27.5.tar.gz) = 864a350940288b3bdbdc90601cb24aed46ce7cbe +SHA512 (libgit2-0.27.5.tar.gz) = 318b981456d55f60f8aa1897f1f70274329e48f09769b661eb4bbe76399071eca0fbc7deacb3191db16bc89dba8cc69a64adaf8cbc65e34a65b6e72ca122e21f +Size (libgit2-0.27.5.tar.gz) = 4775158 bytes |