|
1 | 1 | v0.28 + 1 |
2 | 2 | --------- |
3 | 3 |
|
| 4 | +# Security Fixes |
| 5 | + |
| 6 | +- CVE-2019-1348: the fast-import stream command "feature |
| 7 | + export-marks=path" allows writing to arbitrary file paths. As |
| 8 | + libgit2 does not offer any interface for fast-import, it is not |
| 9 | + susceptible to this vulnerability. |
| 10 | + |
| 11 | +- CVE-2019-1349: by using NTFS 8.3 short names, backslashes or |
| 12 | + alternate filesystreams, it is possible to cause submodules to |
| 13 | + be written into pre-existing directories during a recursive |
| 14 | + clone using git. As libgit2 rejects cloning into non-empty |
| 15 | + directories by default, it is not susceptible to this |
| 16 | + vulnerability. |
| 17 | + |
| 18 | +- CVE-2019-1350: recursive clones may lead to arbitrary remote |
| 19 | + code executing due to improper quoting of command line |
| 20 | + arguments. As libgit2 uses libssh2, which does not require us |
| 21 | + to perform command line parsing, it is not susceptible to this |
| 22 | + vulnerability. |
| 23 | + |
| 24 | +- CVE-2019-1351: Windows provides the ability to substitute |
| 25 | + drive letters with arbitrary letters, including multi-byte |
| 26 | + Unicode letters. To fix any potential issues arising from |
| 27 | + interpreting such paths as relative paths, we have extended |
| 28 | + detection of DOS drive prefixes to accomodate for such cases. |
| 29 | + |
| 30 | +- CVE-2019-1352: by using NTFS-style alternative file streams for |
| 31 | + the ".git" directory, it is possible to overwrite parts of the |
| 32 | + repository. While this has been fixed in the past for Windows, |
| 33 | + the same vulnerability may also exist on other systems that |
| 34 | + write to NTFS filesystems. We now reject any paths starting |
| 35 | + with ".git:" on all systems. |
| 36 | + |
| 37 | +- CVE-2019-1353: by using NTFS-style 8.3 short names, it was |
| 38 | + possible to write to the ".git" directory and thus overwrite |
| 39 | + parts of the repository, leading to possible remote code |
| 40 | + execution. While this problem was already fixed in the past for |
| 41 | + Windows, other systems accessing NTFS filesystems are |
| 42 | + vulnerable to this issue too. We now enable NTFS protecions by |
| 43 | + default on all systems to fix this attack vector. |
| 44 | + |
| 45 | +- CVE-2019-1354: on Windows, backslashes are not a valid part of |
| 46 | + a filename but are instead interpreted as directory separators. |
| 47 | + As other platforms allowed to use such paths, it was possible |
| 48 | + to write such invalid entries into a Git repository and was |
| 49 | + thus an attack vector to write into the ".git" dierctory. We |
| 50 | + now reject any entries starting with ".git\" on all systems. |
| 51 | + |
| 52 | +- CVE-2019-1387: it is possible to let a submodule's git |
| 53 | + directory point into a sibling's submodule directory, which may |
| 54 | + result in overwriting parts of the Git repository and thus lead |
| 55 | + to arbitrary command execution. As libgit2 doesn't provide any |
| 56 | + way to do submodule clones natively, it is not susceptible to |
| 57 | + this vulnerability. Users of libgit2 that have implemented |
| 58 | + recursive submodule clones manually are encouraged to review |
| 59 | + their implementation for this vulnerability. |
| 60 | + |
4 | 61 | ### Breaking API changes |
5 | 62 |
|
6 | 63 | * The "private" implementation details of the `git_cred` structure have been |
|
0 commit comments