[Buildroot] [PATCH 1/1] package/libgit2: security bump to version 0.28.4
Peter Korsgaard
peter at korsgaard.com
Mon Dec 16 21:13:17 UTC 2019
>>>>> "Nicolas" == Nicolas Cavallari <nicolas.cavallari at green-communications.fr> writes:
> Fixes the following CVE:
> - CVE-2019-1351: Windows provides the ability to substitute
> drive letters with arbitrary letters, including multi-byte
> Unicode letters. To fix any potential issues arising from
> interpreting such paths as relative paths, we have extended
> detection of DOS drive prefixes to accomodate for such cases.
> - CVE-2019-1352: by using NTFS-style alternative file streams for
> the ".git" directory, it is possible to overwrite parts of the
> repository. While this has been fixed in the past for Windows,
> the same vulnerability may also exist on other systems that
> write to NTFS filesystems. We now reject any paths starting
> with ".git:" on all systems.
> - CVE-2019-1353: by using NTFS-style 8.3 short names, it was
> possible to write to the ".git" directory and thus overwrite
> parts of the repository, leading to possible remote code
> execution. While this problem was already fixed in the past for
> Windows, other systems accessing NTFS filesystems are
> vulnerable to this issue too. We now enable NTFS protecions by
> default on all systems to fix this attack vector.
> - CVE-2019-1354: on Windows, backslashes are not a valid part of
> a filename but are instead interpreted as directory separators.
> As other platforms allowed to use such paths, it was possible
> to write such invalid entries into a Git repository and was
> thus an attack vector to write into the ".git" dierctory. We
> now reject any entries starting with ".git" on all systems.
> libgit2 is not affected by these git CVE:
So in other words, this isn't really an issue as those are all
Windows-only issues?
But ok, it cannot hurt to bump the version.
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list