Skip to content

Commit 33effc0

Browse files
ethomsonethomson
authored
Merge pull request #1577 from libgit2/ethomson/0_25_1
Update for LibGit2Sharp v0.25.1
2 parents 47287bc + 28a0ab3 commit 33effc0

File tree

2 files changed

+23
-1
lines changed

2 files changed

+23
-1
lines changed

CHANGES.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,28 @@
1010
- Windows (x86/amd64): <https://ci.appveyor.com/project/libgit2/libgit2sharp>
1111
- Linux/Mac OS X: <https://travis-ci.org/libgit2/libgit2sharp>
1212

13+
## v0.25.1 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25..v0.25.1))
14+
15+
This is a security release fixing insufficient validation of submodule
16+
names (CVE-2018-11235, reported by Etienne Stalmans) and disallows
17+
`.gitmodules` files as symlinks. This includes [libgit2
18+
v0.27.1](https://github.com/libgit2/libgit2/releases/tag/v0.27.1),
19+
whose release notes follow.
20+
21+
While submodule names come from the untrusted `.gitmodules` file, we
22+
blindly append the name to `$GIT_DIR/modules` to construct the final
23+
path of the submodule repository. In case the name contains e.g. `../`,
24+
an adversary would be able to escape your repository and write data at
25+
arbitrary paths. In accordance with git, we now enforce some rules for
26+
submodule names which will cause libgit2 to ignore these malicious names.
27+
28+
Adding a symlink as .gitmodules into the index from the workdir or
29+
checking out such files is not allowed as this can make a Git
30+
implementation write outside of the repository and bypass the fsck
31+
checks for CVE-2018-11235.
32+
33+
libgit2 (and LibGit2Sharp) is not susceptible to CVE-2018-11233.
34+
1335
## v0.25 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.24..v0.25))
1436

1537
LibGit2Sharp is now .NET Core 2.0+ and .NET Framework compatible.

LibGit2Sharp/LibGit2Sharp.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
</ItemGroup>
3333

3434
<ItemGroup>
35-
<PackageReference Include="LibGit2Sharp.NativeBinaries" Version="[1.0.210]" PrivateAssets="none" />
35+
<PackageReference Include="LibGit2Sharp.NativeBinaries" Version="[1.0.217]" PrivateAssets="none" />
3636
<PackageReference Include="Nerdbank.GitVersioning" Version="2.1.23" PrivateAssets="all" />
3737
<PackageReference Include="SourceLink.Create.GitHub" Version="2.8.0" PrivateAssets="all" />
3838
<DotNetCliToolReference Include="dotnet-sourcelink-git" Version="2.8.0" />

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy