diff options
author | Patrick Steinhardt <ps@pks.im> | 2019-12-10 13:44:27 +0100 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2019-12-10 13:49:57 +0100 |
commit | b8b8eee35970f93fd1a4c6a913813883d7250bcf (patch) | |
tree | 57141bf1c0a444d5666731933907898e0b3ae309 /docs | |
parent | 14ff3516e5f4203838a0edb044c6622b8e3a3755 (diff) | |
download | libgit2-b8b8eee35970f93fd1a4c6a913813883d7250bcf.tar.gz |
changelog: document security fixes
Diffstat (limited to 'docs')
-rw-r--r-- | docs/changelog.md | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/docs/changelog.md b/docs/changelog.md index 1ca70493f..f52af8681 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -1,6 +1,63 @@ v0.28 + 1 --------- +# Security Fixes + +- CVE-2019-1348: the fast-import stream command "feature + export-marks=path" allows writing to arbitrary file paths. As + libgit2 does not offer any interface for fast-import, it is not + susceptible to this vulnerability. + +- CVE-2019-1349: by using NTFS 8.3 short names, backslashes or + alternate filesystreams, it is possible to cause submodules to + be written into pre-existing directories during a recursive + clone using git. As libgit2 rejects cloning into non-empty + directories by default, it is not susceptible to this + vulnerability. + +- CVE-2019-1350: recursive clones may lead to arbitrary remote + code executing due to improper quoting of command line + arguments. As libgit2 uses libssh2, which does not require us + to perform command line parsing, it is not susceptible to this + vulnerability. + +- CVE-2019-1351: Windows provides the ability to substitute + drive letters with arbitrary letters, including multi-byte + Unicode letters. To fix any potential issues arising from + interpreting such paths as relative paths, we have extended + detection of DOS drive prefixes to accomodate for such cases. + +- CVE-2019-1352: by using NTFS-style alternative file streams for + the ".git" directory, it is possible to overwrite parts of the + repository. While this has been fixed in the past for Windows, + the same vulnerability may also exist on other systems that + write to NTFS filesystems. We now reject any paths starting + with ".git:" on all systems. + +- CVE-2019-1353: by using NTFS-style 8.3 short names, it was + possible to write to the ".git" directory and thus overwrite + parts of the repository, leading to possible remote code + execution. While this problem was already fixed in the past for + Windows, other systems accessing NTFS filesystems are + vulnerable to this issue too. We now enable NTFS protecions by + default on all systems to fix this attack vector. + +- CVE-2019-1354: on Windows, backslashes are not a valid part of + a filename but are instead interpreted as directory separators. + As other platforms allowed to use such paths, it was possible + to write such invalid entries into a Git repository and was + thus an attack vector to write into the ".git" dierctory. We + now reject any entries starting with ".git\" on all systems. + +- CVE-2019-1387: it is possible to let a submodule's git + directory point into a sibling's submodule directory, which may + result in overwriting parts of the Git repository and thus lead + to arbitrary command execution. As libgit2 doesn't provide any + way to do submodule clones natively, it is not susceptible to + this vulnerability. Users of libgit2 that have implemented + recursive submodule clones manually are encouraged to review + their implementation for this vulnerability. + ### Breaking API changes * The "private" implementation details of the `git_cred` structure have been |