--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2019-9c3d054f39
2019-12-17 01:44:37.598362
--------------------------------------------------------------------------------Name        : libgit2
Product     : Fedora 31
Version     : 0.28.4
Release     : 1.fc31
URL         : https://libgit2.org/
Summary     : C implementation of the Git core methods as a library with a solid API
Description :
libgit2 is a portable, pure C implementation of the Git core methods
provided as a re-entrant linkable library with a solid API, allowing
you to write native speed custom Git applications in any language
with bindings.

--------------------------------------------------------------------------------Update Information:

This is a security release fixing the following issues:  * CVE-2019-1348: the
fast-import stream command "feature export-marks=path" allows writing to
arbitrary file paths. As libgit2 does not offer any interface for fast-import,
it is not susceptible to this vulnerability. * CVE-2019-1349: by using NTFS 8.3
short names, backslashes or alternate filesystreams, it is possible to cause
submodules to be written into pre-existing directories during a recursive clone
using git. As libgit2 rejects cloning into non-empty directories by default, it
is not susceptible to this vulnerability. * CVE-2019-1350: recursive clones may
lead to arbitrary remote code executing due to improper quoting of command line
arguments. As libgit2 uses libssh2, which does not require us to perform command
line parsing, it is not susceptible to this vulnerability. * CVE-2019-1351:
Windows provides the ability to substitute drive letters with arbitrary letters,
including multi-byte Unicode letters. To fix any potential issues arising from
interpreting such paths as relative paths, we have extended detection of DOS
drive prefixes to accomodate for such cases. * CVE-2019-1352: by using NTFS-style alternative file streams for the ".git" directory, it is possible to
overwrite parts of the repository. While this has been fixed in the past for
Windows, the same vulnerability may also exist on other systems that write to
NTFS filesystems. We now reject any paths starting with ".git:" on all systems.
* CVE-2019-1353: by using NTFS-style 8.3 short names, it was possible to write
to the ".git" directory and thus overwrite parts of the repository, leading to
possible remote code execution. While this problem was already fixed in the past
for Windows, other systems accessing NTFS filesystems are vulnerable to this
issue too. We now enable NTFS protecions by default on all systems to fix this
attack vector. * CVE-2019-1354: on Windows, backslashes are not a valid part of
a filename but are instead interpreted as directory separators. As other
platforms allowed to use such paths, it was possible to write such invalid
entries into a Git repository and was thus an attack vector to write into the
".git" dierctory. We now reject any entries starting with ".git" on all systems.
* CVE-2019-1387: it is possible to let a submodule's git directory point into a
sibling's submodule directory, which may result in overwriting parts of the Git
repository and thus lead to arbitrary command execution. As libgit2 doesn't
provide any way to do submodule clones natively, it is not susceptible to this
vulnerability. Users of libgit2 that have implemented recursive submodule clones
manually are encouraged to review their implementation for this vulnerability.
--------------------------------------------------------------------------------ChangeLog:

* Wed Dec 11 2019 Igor Gnatenko  - 0.28.4-1
- Update to 0.28.4
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1742726 - libgit2-0.28.3 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=1742726
  [ 2 ] Bug #1765165 - libgit2: Out-of-bounds write via commits with large number of parents [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1765165
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-9c3d054f39' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 31: libgit2 FEDORA-2019-9c3d054f39

December 16, 2019

This is a security release fixing the following issues: * CVE-2019-1348: the fast-import stream command "feature export-marks=path" allows writing to arbitrary file paths

Summary

libgit2 is a portable, pure C implementation of the Git core methods

provided as a re-entrant linkable library with a solid API, allowing

you to write native speed custom Git applications in any language

with bindings.

This is a security release fixing the following issues: * CVE-2019-1348: the

fast-import stream command "feature export-marks=path" allows writing to

arbitrary file paths. As libgit2 does not offer any interface for fast-import,

it is not susceptible to this vulnerability. * CVE-2019-1349: by using NTFS 8.3

short names, backslashes or alternate filesystreams, it is possible to cause

submodules to be written into pre-existing directories during a recursive clone

using git. As libgit2 rejects cloning into non-empty directories by default, it

is not susceptible to this vulnerability. * CVE-2019-1350: recursive clones may

lead to arbitrary remote code executing due to improper quoting of command line

arguments. As libgit2 uses libssh2, which does not require us to perform command

line parsing, it is not susceptible to this vulnerability. * CVE-2019-1351:

Windows provides the ability to substitute drive letters with arbitrary letters,

including multi-byte Unicode letters. To fix any potential issues arising from

interpreting such paths as relative paths, we have extended detection of DOS

drive prefixes to accomodate for such cases. * CVE-2019-1352: by using NTFS-style alternative file streams for the ".git" directory, it is possible to

overwrite parts of the repository. While this has been fixed in the past for

Windows, the same vulnerability may also exist on other systems that write to

NTFS filesystems. We now reject any paths starting with ".git:" on all systems.

* CVE-2019-1353: by using NTFS-style 8.3 short names, it was possible to write

to the ".git" directory and thus overwrite parts of the repository, leading to

possible remote code execution. While this problem was already fixed in the past

for Windows, other systems accessing NTFS filesystems are vulnerable to this

issue too. We now enable NTFS protecions by default on all systems to fix this

attack vector. * CVE-2019-1354: on Windows, backslashes are not a valid part of

a filename but are instead interpreted as directory separators. As other

platforms allowed to use such paths, it was possible to write such invalid

entries into a Git repository and was thus an attack vector to write into the

".git" dierctory. We now reject any entries starting with ".git" on all systems.

* CVE-2019-1387: it is possible to let a submodule's git directory point into a

sibling's submodule directory, which may result in overwriting parts of the Git

repository and thus lead to arbitrary command execution. As libgit2 doesn't

provide any way to do submodule clones natively, it is not susceptible to this

vulnerability. Users of libgit2 that have implemented recursive submodule clones

manually are encouraged to review their implementation for this vulnerability.

* Wed Dec 11 2019 Igor Gnatenko - 0.28.4-1

- Update to 0.28.4

[ 1 ] Bug #1742726 - libgit2-0.28.3 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1742726

[ 2 ] Bug #1765165 - libgit2: Out-of-bounds write via commits with large number of parents [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1765165

su -c 'dnf upgrade --advisory FEDORA-2019-9c3d054f39' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2019-9c3d054f39 2019-12-17 01:44:37.598362 Product : Fedora 31 Version : 0.28.4 Release : 1.fc31 URL : https://libgit2.org/ Summary : C implementation of the Git core methods as a library with a solid API Description : libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. This is a security release fixing the following issues: * CVE-2019-1348: the fast-import stream command "feature export-marks=path" allows writing to arbitrary file paths. As libgit2 does not offer any interface for fast-import, it is not susceptible to this vulnerability. * CVE-2019-1349: by using NTFS 8.3 short names, backslashes or alternate filesystreams, it is possible to cause submodules to be written into pre-existing directories during a recursive clone using git. As libgit2 rejects cloning into non-empty directories by default, it is not susceptible to this vulnerability. * CVE-2019-1350: recursive clones may lead to arbitrary remote code executing due to improper quoting of command line arguments. As libgit2 uses libssh2, which does not require us to perform command line parsing, it is not susceptible to this vulnerability. * CVE-2019-1351: Windows provides the ability to substitute drive letters with arbitrary letters, including multi-byte Unicode letters. To fix any potential issues arising from interpreting such paths as relative paths, we have extended detection of DOS drive prefixes to accomodate for such cases. * CVE-2019-1352: by using NTFS-style alternative file streams for the ".git" directory, it is possible to overwrite parts of the repository. While this has been fixed in the past for Windows, the same vulnerability may also exist on other systems that write to NTFS filesystems. We now reject any paths starting with ".git:" on all systems. * CVE-2019-1353: by using NTFS-style 8.3 short names, it was possible to write to the ".git" directory and thus overwrite parts of the repository, leading to possible remote code execution. While this problem was already fixed in the past for Windows, other systems accessing NTFS filesystems are vulnerable to this issue too. We now enable NTFS protecions by default on all systems to fix this attack vector. * CVE-2019-1354: on Windows, backslashes are not a valid part of a filename but are instead interpreted as directory separators. As other platforms allowed to use such paths, it was possible to write such invalid entries into a Git repository and was thus an attack vector to write into the ".git" dierctory. We now reject any entries starting with ".git" on all systems. * CVE-2019-1387: it is possible to let a submodule's git directory point into a sibling's submodule directory, which may result in overwriting parts of the Git repository and thus lead to arbitrary command execution. As libgit2 doesn't provide any way to do submodule clones natively, it is not susceptible to this vulnerability. Users of libgit2 that have implemented recursive submodule clones manually are encouraged to review their implementation for this vulnerability. * Wed Dec 11 2019 Igor Gnatenko - 0.28.4-1 - Update to 0.28.4 [ 1 ] Bug #1742726 - libgit2-0.28.3 is available https://bugzilla.redhat.com/show_bug.cgi?id=1742726 [ 2 ] Bug #1765165 - libgit2: Out-of-bounds write via commits with large number of parents [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1765165 su -c 'dnf upgrade --advisory FEDORA-2019-9c3d054f39' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/