Hello community, here is the log from the commit of package libgit2 for openSUSE:Factory checked in at 2018-08-20 16:17:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libgit2 (Old) and /work/SRC/openSUSE:Factory/.libgit2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libgit2" Mon Aug 20 16:17:15 2018 rev:32 rq:628955 version:0.27.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libgit2/libgit2.changes 2018-07-17 09:37:12.270401663 +0200 +++ /work/SRC/openSUSE:Factory/.libgit2.new/libgit2.changes 2018-08-20 16:17:16.920641692 +0200 @@ -1,0 +2,7 @@ +Mon Aug 13 11:24:27 UTC 2018 - [email protected] + +- libgit2 0.27.4: + * fix out-of-bounds reads when processing smart-protocol "ng" + packets (bsc#1104641) + +------------------------------------------------------------------- Old: ---- libgit2-0.27.3.tar.gz New: ---- libgit2-0.27.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libgit2.spec ++++++ --- /var/tmp/diff_new_pack.FIEqPG/_old 2018-08-20 16:17:17.600642648 +0200 +++ /var/tmp/diff_new_pack.FIEqPG/_new 2018-08-20 16:17:17.604642653 +0200 @@ -19,7 +19,7 @@ %define sover 27 Name: libgit2 -Version: 0.27.3 +Version: 0.27.4 Release: 0 Summary: C git library License: GPL-2.0 WITH GCC-exception-2.0 ++++++ libgit2-0.27.3.tar.gz -> libgit2-0.27.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgit2-0.27.3/.travis.yml new/libgit2-0.27.4/.travis.yml --- old/libgit2-0.27.3/.travis.yml 2018-07-09 15:26:21.000000000 +0200 +++ new/libgit2-0.27.4/.travis.yml 2018-08-06 10:49:49.000000000 +0200 @@ -21,6 +21,7 @@ - OPTIONS="-DTHREADSAFE=OFF -DBUILD_EXAMPLES=ON -DENABLE_WERROR=ON" dist: trusty +osx_image: xcode8.3 sudo: false addons: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgit2-0.27.3/CHANGELOG.md new/libgit2-0.27.4/CHANGELOG.md --- old/libgit2-0.27.3/CHANGELOG.md 2018-07-09 15:26:21.000000000 +0200 +++ new/libgit2-0.27.4/CHANGELOG.md 2018-08-06 10:49:49.000000000 +0200 @@ -1,3 +1,18 @@ +v0.27.4 +------- + +This is a security release fixing out-of-bounds reads when +processing smart-protocol "ng" packets. + +When parsing an "ng" packet, we keep track of both the current position +as well as the remaining length of the packet itself. But instead of +taking care not to exceed the length, we pass the current pointer's +position to `strchr`, which will search for a certain character until +hitting NUL. It is thus possible to create a crafted packet which +doesn't contain a NUL byte to trigger an out-of-bounds read. + +The issue was discovered by the oss-fuzz project, issue 9406. + v0.27.3 ------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgit2-0.27.3/include/git2/version.h new/libgit2-0.27.4/include/git2/version.h --- old/libgit2-0.27.3/include/git2/version.h 2018-07-09 15:26:21.000000000 +0200 +++ new/libgit2-0.27.4/include/git2/version.h 2018-08-06 10:49:49.000000000 +0200 @@ -7,10 +7,10 @@ #ifndef INCLUDE_git_version_h__ #define INCLUDE_git_version_h__ -#define LIBGIT2_VERSION "0.27.3" +#define LIBGIT2_VERSION "0.27.4" #define LIBGIT2_VER_MAJOR 0 #define LIBGIT2_VER_MINOR 27 -#define LIBGIT2_VER_REVISION 3 +#define LIBGIT2_VER_REVISION 4 #define LIBGIT2_VER_PATCH 0 #define LIBGIT2_SOVERSION 27 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libgit2-0.27.3/src/transports/smart_pkt.c new/libgit2-0.27.4/src/transports/smart_pkt.c --- old/libgit2-0.27.3/src/transports/smart_pkt.c 2018-07-09 15:26:21.000000000 +0200 +++ new/libgit2-0.27.4/src/transports/smart_pkt.c 2018-08-06 10:49:49.000000000 +0200 @@ -299,8 +299,11 @@ pkt->ref = NULL; pkt->type = GIT_PKT_NG; + if (len < 3) + goto out_err; line += 3; /* skip "ng " */ - if (!(ptr = strchr(line, ' '))) + len -= 3; + if (!(ptr = memchr(line, ' ', len))) goto out_err; len = ptr - line; @@ -311,8 +314,11 @@ memcpy(pkt->ref, line, len); pkt->ref[len] = '\0'; + if (len < 1) + goto out_err; line = ptr + 1; - if (!(ptr = strchr(line, '\n'))) + len -= 1; + if (!(ptr = memchr(line, '\n', len))) goto out_err; len = ptr - line;
