Fedora 31: 2019-9c3d054f39 Critical: libgit2 Arbitrary Execution

libgit2 is a portable, pure C implementation of the Git core methods

provided as a re-entrant linkable library with a solid API, allowing

you to write native speed custom Git applications in any language

with bindings.

This is a security release fixing the following issues: * CVE-2019-1348: the

fast-import stream command "feature export-marks=path" allows writing to

arbitrary file paths. As libgit2 does not offer any interface for fast-import,

it is not susceptible to this vulnerability. * CVE-2019-1349: by using NTFS 8.3

short names, backslashes or alternate filesystreams, it is possible to cause

submodules to be written into pre-existing directories during a recursive clone

using git. As libgit2 rejects cloning into non-empty directories by default, it

is not susceptible to this vulnerability. * CVE-2019-1350: recursive clones may

lead to arbitrary remote code executing due to improper quoting of command line

arguments. As libgit2 uses libssh2, which does not require us to perform command

line parsing, it is not susceptible to this vulnerability. * CVE-2019-1351:

Windows provides the ability to substitute drive letters with arbitrary letters,

including multi-byte Unicode letters. To fix any potential issues arising from

interpreting such paths as relative paths, we have extended detection of DOS

drive prefixes to accomodate for such cases. * CVE-2019-1352: by using NTFS-style alternative file streams for the ".git" directory, it is possible to

overwrite parts of the repository. While this has been fixed in the past for

Windows, the same vulnerability may also exist on other systems that write to

NTFS filesystems. We now reject any paths starting with ".git:" on all systems.

* CVE-2019-1353: by using NTFS-style 8.3 short names, it was possible to write

to the ".git" directory and thus overwrite parts of the repository, leading to

possible remote code execution. While this problem was already fixed in the past

for Windows, other systems accessing NTFS filesystems are vulnerable to this

issue too. We now enable NTFS protecions by default on all systems to fix this

attack vector. * CVE-2019-1354: on Windows, backslashes are not a valid part of

a filename but are instead interpreted as directory separators. As other

platforms allowed to use such paths, it was possible to write such invalid

entries into a Git repository and was thus an attack vector to write into the

".git" dierctory. We now reject any entries starting with ".git" on all systems.

* CVE-2019-1387: it is possible to let a submodule's git directory point into a

sibling's submodule directory, which may result in overwriting parts of the Git

repository and thus lead to arbitrary command execution. As libgit2 doesn't

provide any way to do submodule clones natively, it is not susceptible to this

vulnerability. Users of libgit2 that have implemented recursive submodule clones

manually are encouraged to review their implementation for this vulnerability.

* Wed Dec 11 2019 Igor Gnatenko - 0.28.4-1

- Update to 0.28.4

[ 1 ] Bug #1742726 - libgit2-0.28.3 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1742726

[ 2 ] Bug #1765165 - libgit2: Out-of-bounds write via commits with large number of parents [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1765165

su -c 'dnf upgrade --advisory FEDORA-2019-9c3d054f39' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/