Skip to content

Update for LibGit2Sharp v0.25.1 #1577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 29, 2018
Merged

Update for LibGit2Sharp v0.25.1 #1577

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
59fba56
Update libgit2 to v0.27.1 (b0d9952)
ethomson May 29, 2018
28a0ab3
Update release notes for v0.25.1
ethomson May 29, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,28 @@
- Windows (x86/amd64): <https://ci.appveyor.com/project/libgit2/libgit2sharp>
- Linux/Mac OS X: <https://travis-ci.org/libgit2/libgit2sharp>

## v0.25.1 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25..v0.25.1))

This is a security release fixing insufficient validation of submodule
names (CVE-2018-11235, reported by Etienne Stalmans) and disallows
`.gitmodules` files as symlinks. This includes [libgit2
v0.27.1](https://github.com/libgit2/libgit2/releases/tag/v0.27.1),
whose release notes follow.

While submodule names come from the untrusted `.gitmodules` file, we
blindly append the name to `$GIT_DIR/modules` to construct the final
path of the submodule repository. In case the name contains e.g. `../`,
an adversary would be able to escape your repository and write data at
arbitrary paths. In accordance with git, we now enforce some rules for
submodule names which will cause libgit2 to ignore these malicious names.

Adding a symlink as .gitmodules into the index from the workdir or
checking out such files is not allowed as this can make a Git
implementation write outside of the repository and bypass the fsck
checks for CVE-2018-11235.

libgit2 (and LibGit2Sharp) is not susceptible to CVE-2018-11233.

## v0.25 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.24..v0.25))

LibGit2Sharp is now .NET Core 2.0+ and .NET Framework compatible.
Expand Down
2 changes: 1 addition & 1 deletion LibGit2Sharp/LibGit2Sharp.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
</ItemGroup>

<ItemGroup>
<PackageReference Include="LibGit2Sharp.NativeBinaries" Version="[1.0.210]" PrivateAssets="none" />
<PackageReference Include="LibGit2Sharp.NativeBinaries" Version="[1.0.217]" PrivateAssets="none" />
<PackageReference Include="Nerdbank.GitVersioning" Version="2.1.23" PrivateAssets="all" />
<PackageReference Include="SourceLink.Create.GitHub" Version="2.8.0" PrivateAssets="all" />
<DotNetCliToolReference Include="dotnet-sourcelink-git" Version="2.8.0" />
Expand Down