From 59fba56eb50089bdf77424753a56e08716c01327 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Wed, 30 May 2018 00:06:02 +0100 Subject: [PATCH 1/7] Update libgit2 to v0.27.1 (b0d9952) --- LibGit2Sharp/LibGit2Sharp.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LibGit2Sharp/LibGit2Sharp.csproj b/LibGit2Sharp/LibGit2Sharp.csproj index fc15f0e2f..6e966a5c9 100644 --- a/LibGit2Sharp/LibGit2Sharp.csproj +++ b/LibGit2Sharp/LibGit2Sharp.csproj @@ -32,7 +32,7 @@ - + From 28a0ab3f09b232f499dcc94656f37c5d118f2db6 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Wed, 30 May 2018 00:11:27 +0100 Subject: [PATCH 2/7] Update release notes for v0.25.1 --- CHANGES.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 6ec51a0e1..c9b6cba42 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,28 @@ - Windows (x86/amd64): - Linux/Mac OS X: +## v0.25.1 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25..v0.25.1)) + +This is a security release fixing insufficient validation of submodule +names (CVE-2018-11235, reported by Etienne Stalmans) and disallows +`.gitmodules` files as symlinks. This includes [libgit2 +v0.27.1](https://github.com/libgit2/libgit2/releases/tag/v0.27.1), +whose release notes follow. + +While submodule names come from the untrusted `.gitmodules` file, we +blindly append the name to `$GIT_DIR/modules` to construct the final +path of the submodule repository. In case the name contains e.g. `../`, +an adversary would be able to escape your repository and write data at +arbitrary paths. In accordance with git, we now enforce some rules for +submodule names which will cause libgit2 to ignore these malicious names. + +Adding a symlink as .gitmodules into the index from the workdir or +checking out such files is not allowed as this can make a Git +implementation write outside of the repository and bypass the fsck +checks for CVE-2018-11235. + +libgit2 (and LibGit2Sharp) is not susceptible to CVE-2018-11233. + ## v0.25 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.24..v0.25)) LibGit2Sharp is now .NET Core 2.0+ and .NET Framework compatible. From 5199c83d37f7baf5a775eacaffd66322b1d90ef1 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Wed, 30 May 2018 11:48:57 +0100 Subject: [PATCH 3/7] v0.25: update version.json --- version.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/version.json b/version.json index 557aaf883..8e1e46945 100644 --- a/version.json +++ b/version.json @@ -1,9 +1,9 @@ { "$schema": "https://raw.githubusercontent.com/AArnott/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.25.0", + "version": "0.25.2", "publicReleaseRefSpec": [ - "^refs/heads/master$", // we release out of master - "^refs/heads/v\\d+(?:\\.\\d+)?$" // we also release out of vNN branches + "^refs/heads/master$", // we release out of master + "^refs/heads/maint/v\\d+(?:\\.\\d+)?$" // and maint/vNN branches ], "cloudBuild": { "buildNumber": { From 4af76d6dcb8e94a5cf1f00d37f98b81956741327 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Sun, 7 Oct 2018 19:29:14 +0100 Subject: [PATCH 4/7] Update NativeBinaries to 1.0.235 --- LibGit2Sharp/LibGit2Sharp.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LibGit2Sharp/LibGit2Sharp.csproj b/LibGit2Sharp/LibGit2Sharp.csproj index 6e966a5c9..47a520703 100644 --- a/LibGit2Sharp/LibGit2Sharp.csproj +++ b/LibGit2Sharp/LibGit2Sharp.csproj @@ -32,7 +32,7 @@ - + From 2cf2e54b318090776e5e4423758dc4a37ea29c47 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Mon, 8 Oct 2018 11:12:11 +0100 Subject: [PATCH 5/7] Prepare for v0.25.3 release --- CHANGES.md | 10 ++++++++++ version.json | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index c9b6cba42..bb5149ec0 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,16 @@ - Windows (x86/amd64): - Linux/Mac OS X: +## v0.25.3 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25.2..v0.25.3)) + +This is a security release fixing a number of possible security issues, +including hardening validation for submodule validation to help protect +against CVE 2018-17456, and a number of possible errors found by fuzzing +the libgit2 native library. + +This release includes [libgit2 +v0.27.5](https://github.com/libgit2/libgit2/releases/tag/v0.27.5). + ## v0.25.1 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25..v0.25.1)) This is a security release fixing insufficient validation of submodule diff --git a/version.json b/version.json index 8e1e46945..d067fdeec 100644 --- a/version.json +++ b/version.json @@ -1,6 +1,6 @@ { "$schema": "https://raw.githubusercontent.com/AArnott/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.25.2", + "version": "0.25.3", "publicReleaseRefSpec": [ "^refs/heads/master$", // we release out of master "^refs/heads/maint/v\\d+(?:\\.\\d+)?$" // and maint/vNN branches From 34ab01f4f2d5b5ba240146f7686fe314024e2fcf Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Wed, 28 Nov 2018 14:43:47 -0800 Subject: [PATCH 6/7] Update NativeBinaries to libgit2 0.27.7 (plus transport fix) --- LibGit2Sharp/LibGit2Sharp.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LibGit2Sharp/LibGit2Sharp.csproj b/LibGit2Sharp/LibGit2Sharp.csproj index 47a520703..5cc0bdd16 100644 --- a/LibGit2Sharp/LibGit2Sharp.csproj +++ b/LibGit2Sharp/LibGit2Sharp.csproj @@ -32,7 +32,7 @@ - + From a2c59b7842ac88971fbd47986bd1597738f09416 Mon Sep 17 00:00:00 2001 From: Edward Thomson Date: Thu, 29 Nov 2018 03:12:04 -0800 Subject: [PATCH 7/7] Prepare for v0.25.4 --- CHANGES.md | 7 +++++++ version.json | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index bb5149ec0..304bd378d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -10,6 +10,13 @@ - Windows (x86/amd64): - Linux/Mac OS X: +## v0.25.4 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25.3..v0.25.4)) + +This is a security and bugfix release that fixes a number of minor +possible security issues, including possible errors during the parsing +of commit and tag information. In addition, a number of performance +improvements and bugfixes are included in the underlying native library. + ## v0.25.3 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25.2..v0.25.3)) This is a security release fixing a number of possible security issues, diff --git a/version.json b/version.json index d067fdeec..0a9443242 100644 --- a/version.json +++ b/version.json @@ -1,6 +1,6 @@ { "$schema": "https://raw.githubusercontent.com/AArnott/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", - "version": "0.25.3", + "version": "0.25.4", "publicReleaseRefSpec": [ "^refs/heads/master$", // we release out of master "^refs/heads/maint/v\\d+(?:\\.\\d+)?$" // and maint/vNN branches