diff options
author | Patrick Steinhardt <ps@pks.im> | 2018-07-05 14:20:57 +0200 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2018-07-05 14:30:21 +0200 |
commit | 36f07807a96d8ab3d01f077cfa5945fc454e9582 (patch) | |
tree | fb5fbc8164dec3ad00c7952bf48f4490da0dbd75 | |
parent | c1577110467b701dcbcf9439ac225ea851b47d22 (diff) | |
download | libgit2-36f07807a96d8ab3d01f077cfa5945fc454e9582.tar.gz |
CHANGELOG: add release notes for v0.27.3
-rw-r--r-- | CHANGELOG.md | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c6a5eb00..8b149ee4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,26 @@ +v0.27.3 +------- + +This is a security release fixing out-of-bounds reads when +reading objects from a packfile. This corresponds to +CVE-2018-10887 and CVE-2018-10888, which were both reported by +Riccardo Schirone. + +When packing objects into a single so-called packfile, objects +may not get stored as complete copies but instead as deltas +against another object "base". A specially crafted delta object +could trigger an integer overflow and thus bypass our input +validation, which may result in copying memory before or after +the base object into the final deflated object. This may lead to +objects containing copies of system memory being written into the +object database. As the hash of those objects cannot be easily +controlled by the attacker, it is unlikely that any of those +objects will be valid and referenced by the commit graph. + +Note that the error could also be triggered by the function +`git_apply__patch`. But as this function is not in use outside of +our test suite, it is not a possible attack vector. + v0.27.2 --------- |