CVE-2024-24575:
libgit2 is a portable C implementation of the Git core methods provided
as a linkable library with a solid API, allowing to build Git functionality
into your application. Using well-crafted inputs to `git_revparse_single`
can cause the function to enter an infinite loop, potentially causing a
Denial of Service attack in the calling application. The revparse function
in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec
string. There is an edge-case during parsing that allows a bad actor to
force the loop conditions to access arbitrary memory. Potentially, this
could also leak memory if the extracted rev spec is reflected back to the
attacker. As such, libgit2 versions before 1.4.0 are not affected. Users
should upgrade to version 1.6.5 or 1.7.2.
CVE-2024-24577:
libgit2 is a portable C implementation of the Git core methods provided
as a linkable library with a solid API, allowing to build Git functionality
into your application. Using well-crafted inputs to `git_index_add` can
cause heap corruption that could be leveraged for arbitrary code execution.
There is an issue in the `has_dir_name` function in `src/libgit2/index.c`,
which frees an entry that should not be freed. The freed entry is later
used and overwritten with potentially bad actor-controlled data leading to
controlled heap corruption. Depending on the application that uses libgit2,
this could lead to arbitrary code execution. This issue has been patched
in version 1.6.5 and 1.7.2.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-24575https://security-tracker.debian.org/tracker/CVE-2024-24575https://nvd.nist.gov/vuln/detail/CVE-2024-24577https://security-tracker.debian.org/tracker/CVE-2024-24577
(From OE-Core rev: 942254eb3ef29c8672a35015c086721c4fbe5a4f)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fixes:
libgit2, when compiled using the optional, included libssh2 backend, fails to verify SSH keys by default.
Description
When using an SSH remote with the optional, included libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the certificate_check field of libgit2's git_remote_callbacks structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack.
Beginning in libgit2 v1.4.5 and v1.5.1, libgit2 will now perform host key checking by default. Users can still override the default behavior using the certificate_check function.
The libgit2 security team would like to thank the Julia and Rust security teams for responsibly disclosing this vulnerability and assisting with fixing the vulnerability.
(From OE-Core rev: 6c64dc88b5dac910f3760e9cd1003cc83df3ffad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a security release with multiple changes.
This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to CVE 2022-24765, now not only is the working directory of a non-bare repository examined for its ownership, but the .git directory and the .git file (if present) are also examined for their ownership.
A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in sudo.
A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using runas Administrator).
The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.
(From OE-Core rev: 4bc31ac89eb0562bae37e2246e8001b4286f61da)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
Validate repository directory ownership (v1.4)
midx: Fix an undefined behavior (left-shift signed overflow)
fetch: support OID refspec without dst
Fix crash when regenerating a patch with unquoted spaces in filename
(From OE-Core rev: e6541bd09289abc87b7e81716bea774c80285bc0)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bef09c61ee32df214fb8cf6000e0314ff3a38156)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a bugfix release with the following changes:
====================================================
remote: do store the update_tips callback error value
win32: find_system_dirs does not return GIT_ENOTFOUND
(From OE-Core rev: c8f1727fd3f9583e25ac4dab0194b508758d7eaa)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
