<feed xmlns='http://www.w3.org/2005/Atom'>
<title>delta/libgit2.git, branch users/ethomson/security_updates</title>
<subtitle>github.com: libgit2/libgit2.git
</subtitle>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/'/>
<entry>
<title>changelog: include security updates</title>
<updated>2019-08-13T16:56:06+00:00</updated>
<author>
<name>Edward Thomson</name>
<email>ethomson@edwardthomson.com</email>
</author>
<published>2019-08-04T23:32:11+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=df3f18acf0d4fae14f26c9de0c9675736aff0eb5'/>
<id>df3f18acf0d4fae14f26c9de0c9675736aff0eb5</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>commit_list: fix possible buffer overflow in `commit_quick_parse`</title>
<updated>2019-08-13T16:56:06+00:00</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2019-06-21T13:53:54+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=57a9ccd5e21f8b98885e392f193ee6a7ead79172'/>
<id>57a9ccd5e21f8b98885e392f193ee6a7ead79172</id>
<content type='text'>
The function `commit_quick_parse` provides a way to quickly parse
parts of a commit without storing or verifying most of its
metadata. The first thing it does is calculating the number of
parents by skipping "parent " lines until it finds the first
non-parent line. Afterwards, this parent count is passed to
`alloc_parents`, which will allocate an array to store all the
parent.

To calculate the amount of storage required for the parents
array, `alloc_parents` simply multiplicates the number of parents
with the respective elements's size. This already screams "buffer
overflow", and in fact this problem is getting worse by the
result being cast to an `uint32_t`.

In fact, triggering this is possible: git-hash-object(1) will
happily write a commit with multiple millions of parents for you.
I've stopped at 67,108,864 parents as git-hash-object(1)
unfortunately soaks up the complete object without streaming
anything to disk and thus will cause an OOM situation at a later
point. The point here is: this commit was about 4.1GB of size but
compressed down to 24MB and thus easy to distribute.

The above doesn't yet trigger the buffer overflow, thus. As the
array's elements are all pointers which are 8 bytes on 64 bit, we
need a total of 536,870,912 parents to trigger the overflow to
`0`. The effect is that we're now underallocating the array
and do an out-of-bound writes. As the buffer is kindly provided
by the adversary, this may easily result in code execution.

Extrapolating from the test file with 67m commits to the one with
536m commits results in a factor of 8. Thus the uncompressed
contents would be about 32GB in size and the compressed ones
192MB. While still easily distributable via the network, only
servers will have that amount of RAM and not cause an
out-of-memory condition previous to triggering the overflow. This
at least makes this attack not an easy vector for client-side use
of libgit2.
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The function `commit_quick_parse` provides a way to quickly parse
parts of a commit without storing or verifying most of its
metadata. The first thing it does is calculating the number of
parents by skipping "parent " lines until it finds the first
non-parent line. Afterwards, this parent count is passed to
`alloc_parents`, which will allocate an array to store all the
parent.

To calculate the amount of storage required for the parents
array, `alloc_parents` simply multiplicates the number of parents
with the respective elements's size. This already screams "buffer
overflow", and in fact this problem is getting worse by the
result being cast to an `uint32_t`.

In fact, triggering this is possible: git-hash-object(1) will
happily write a commit with multiple millions of parents for you.
I've stopped at 67,108,864 parents as git-hash-object(1)
unfortunately soaks up the complete object without streaming
anything to disk and thus will cause an OOM situation at a later
point. The point here is: this commit was about 4.1GB of size but
compressed down to 24MB and thus easy to distribute.

The above doesn't yet trigger the buffer overflow, thus. As the
array's elements are all pointers which are 8 bytes on 64 bit, we
need a total of 536,870,912 parents to trigger the overflow to
`0`. The effect is that we're now underallocating the array
and do an out-of-bound writes. As the buffer is kindly provided
by the adversary, this may easily result in code execution.

Extrapolating from the test file with 67m commits to the one with
536m commits results in a factor of 8. Thus the uncompressed
contents would be about 32GB in size and the compressed ones
192MB. While still easily distributable via the network, only
servers will have that amount of RAM and not cause an
out-of-memory condition previous to triggering the overflow. This
at least makes this attack not an easy vector for client-side use
of libgit2.
</pre>
</div>
</content>
</entry>
<entry>
<title>config: validate ownership of C:\ProgramData\Git\config before using it</title>
<updated>2019-08-13T16:56:06+00:00</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2019-06-19T10:59:27+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=cb1439c9d32c059ee93216637a6d155306f76ab3'/>
<id>cb1439c9d32c059ee93216637a6d155306f76ab3</id>
<content type='text'>
When the VirtualStore feature is in effect, it is safe to let random
users write into C:\ProgramData because other users won't see those
files. This seemed to be the case when we introduced support for
C:\ProgramData\Git\config.

However, when that feature is not in effect (which seems to be the case
in newer Windows 10 versions), we'd rather not use those files unless
they come from a trusted source, such as an administrator.

This change imitates the strategy chosen by PowerShell's native OpenSSH
port to Windows regarding host key files: if a system file is owned
neither by an administrator, a system account, or the current user, it
is ignored.
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the VirtualStore feature is in effect, it is safe to let random
users write into C:\ProgramData because other users won't see those
files. This seemed to be the case when we introduced support for
C:\ProgramData\Git\config.

However, when that feature is not in effect (which seems to be the case
in newer Windows 10 versions), we'd rather not use those files unless
they come from a trusted source, such as an administrator.

This change imitates the strategy chosen by PowerShell's native OpenSSH
port to Windows regarding host key files: if a system file is owned
neither by an administrator, a system account, or the current user, it
is ignored.
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge pull request #5113 from pks-t/pks/stash-perf</title>
<updated>2019-08-11T22:42:45+00:00</updated>
<author>
<name>Edward Thomson</name>
<email>ethomson@edwardthomson.com</email>
</author>
<published>2019-08-11T22:42:45+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=5774b2b13468aa3c2e7e604dd348357f6842c56a'/>
<id>5774b2b13468aa3c2e7e604dd348357f6842c56a</id>
<content type='text'>
stash: avoid recomputing tree when committing worktree</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
stash: avoid recomputing tree when committing worktree</pre>
</div>
</content>
</entry>
<entry>
<title>Merge pull request #5121 from pks-t/pks/variadic-errors</title>
<updated>2019-08-11T20:06:19+00:00</updated>
<author>
<name>Edward Thomson</name>
<email>ethomson@edwardthomson.com</email>
</author>
<published>2019-08-11T20:06:19+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=42bacbc603bccf717b29cf603f825c9e6f5c1cf3'/>
<id>42bacbc603bccf717b29cf603f825c9e6f5c1cf3</id>
<content type='text'>
Variadic macros</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Variadic macros</pre>
</div>
</content>
</entry>
<entry>
<title>Merge pull request #4913 from implausible/feature/signing-rebase-commits</title>
<updated>2019-08-09T07:01:56+00:00</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2019-08-09T07:01:56+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=b0692d6b3e818b9389295d7d33a0601143cc0c16'/>
<id>b0692d6b3e818b9389295d7d33a0601143cc0c16</id>
<content type='text'>
Add sign capability to git_rebase_commit</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add sign capability to git_rebase_commit</pre>
</div>
</content>
</entry>
<entry>
<title>fixup: strange indentation</title>
<updated>2019-08-07T14:21:27+00:00</updated>
<author>
<name>Tyler Ang-Wanek</name>
<email>tylerw@axosoft.com</email>
</author>
<published>2019-08-07T14:21:27+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=998f9c15fdca34bbfe6a3d92093afe9c7f886dcf'/>
<id>998f9c15fdca34bbfe6a3d92093afe9c7f886dcf</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge pull request #5197 from pks-t/pks/remote-ifdeffed-block</title>
<updated>2019-08-02T12:18:07+00:00</updated>
<author>
<name>Edward Thomson</name>
<email>ethomson@edwardthomson.com</email>
</author>
<published>2019-08-02T12:18:07+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=f627ba6c7f4b40d533cc127f408cbce8353697ed'/>
<id>f627ba6c7f4b40d533cc127f408cbce8353697ed</id>
<content type='text'>
remote: remove unused block of code</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
remote: remove unused block of code</pre>
</div>
</content>
</entry>
<entry>
<title>Merge pull request #5146 from scottfurry/StaticFixesExamples</title>
<updated>2019-08-02T05:58:11+00:00</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2019-08-02T05:58:11+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=24c491ed00a53f59249e1744a5c6cde1d3f473d4'/>
<id>24c491ed00a53f59249e1744a5c6cde1d3f473d4</id>
<content type='text'>
Adjust printf specifiers in examples code</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Adjust printf specifiers in examples code</pre>
</div>
</content>
</entry>
<entry>
<title>remote: remove unused block of code</title>
<updated>2019-08-02T05:52:58+00:00</updated>
<author>
<name>Patrick Steinhardt</name>
<email>ps@pks.im</email>
</author>
<published>2019-08-02T05:52:58+00:00</published>
<link rel='alternate' type='text/html' href='http://git.baserock.org/cgit/delta/libgit2.git/commit/?id=e23c0b18e68f1912c5c6e55b216967c7d257a92d'/>
<id>e23c0b18e68f1912c5c6e55b216967c7d257a92d</id>
<content type='text'>
In "remote.c", we have a chunk of code that is #ifdef'fed out via
`#if 0` with a comment that we could export it as a helper function.
The code was implemented in 2013 and ifdef'fed in 2014, which shows that
there's clearly no interest in having such a helper at all.

As this block has recently created some confusion about `p_getenv` due
to it containing the only reference to that function in our codebase,
let's remove this block altogether.
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In "remote.c", we have a chunk of code that is #ifdef'fed out via
`#if 0` with a comment that we could export it as a helper function.
The code was implemented in 2013 and ifdef'fed in 2014, which shows that
there's clearly no interest in having such a helper at all.

As this block has recently created some confusion about `p_getenv` due
to it containing the only reference to that function in our codebase,
let's remove this block altogether.
</pre>
</div>
</content>
</entry>
</feed>
