Fedora Linux 8811 Published by

A libgit2 security update has been released for Fedora 31



--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-9c3d054f39
2019-12-17 01:44:37.598362
--------------------------------------------------------------------------------

Name : libgit2
Product : Fedora 31
Version : 0.28.4
Release : 1.fc31
URL : https://libgit2.org/
Summary : C implementation of the Git core methods as a library with a solid API
Description :
libgit2 is a portable, pure C implementation of the Git core methods
provided as a re-entrant linkable library with a solid API, allowing
you to write native speed custom Git applications in any language
with bindings.

--------------------------------------------------------------------------------
Update Information:

This is a security release fixing the following issues: * CVE-2019-1348: the
fast-import stream command "feature export-marks=path" allows writing to
arbitrary file paths. As libgit2 does not offer any interface for fast-import,
it is not susceptible to this vulnerability. * CVE-2019-1349: by using NTFS 8.3
short names, backslashes or alternate filesystreams, it is possible to cause
submodules to be written into pre-existing directories during a recursive clone
using git. As libgit2 rejects cloning into non-empty directories by default, it
is not susceptible to this vulnerability. * CVE-2019-1350: recursive clones may
lead to arbitrary remote code executing due to improper quoting of command line
arguments. As libgit2 uses libssh2, which does not require us to perform command
line parsing, it is not susceptible to this vulnerability. * CVE-2019-1351:
Windows provides the ability to substitute drive letters with arbitrary letters,
including multi-byte Unicode letters. To fix any potential issues arising from
interpreting such paths as relative paths, we have extended detection of DOS
drive prefixes to accomodate for such cases. * CVE-2019-1352: by using NTFS-
style alternative file streams for the ".git" directory, it is possible to
overwrite parts of the repository. While this has been fixed in the past for
Windows, the same vulnerability may also exist on other systems that write to
NTFS filesystems. We now reject any paths starting with ".git:" on all systems.
* CVE-2019-1353: by using NTFS-style 8.3 short names, it was possible to write
to the ".git" directory and thus overwrite parts of the repository, leading to
possible remote code execution. While this problem was already fixed in the past
for Windows, other systems accessing NTFS filesystems are vulnerable to this
issue too. We now enable NTFS protecions by default on all systems to fix this
attack vector. * CVE-2019-1354: on Windows, backslashes are not a valid part of
a filename but are instead interpreted as directory separators. As other
platforms allowed to use such paths, it was possible to write such invalid
entries into a Git repository and was thus an attack vector to write into the
".git" dierctory. We now reject any entries starting with ".git" on all systems.
* CVE-2019-1387: it is possible to let a submodule's git directory point into a
sibling's submodule directory, which may result in overwriting parts of the Git
repository and thus lead to arbitrary command execution. As libgit2 doesn't
provide any way to do submodule clones natively, it is not susceptible to this
vulnerability. Users of libgit2 that have implemented recursive submodule clones
manually are encouraged to review their implementation for this vulnerability.
--------------------------------------------------------------------------------
ChangeLog:

* Wed Dec 11 2019 Igor Gnatenko - 0.28.4-1
- Update to 0.28.4
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #1742726 - libgit2-0.28.3 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1742726
[ 2 ] Bug #1765165 - libgit2: Out-of-bounds write via commits with large number of parents [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1765165
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-9c3d054f39' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys