Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
git2
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
lvzhengyang
git2
Commits
a3e53c16
Unverified
Commit
a3e53c16
authored
Jul 09, 2018
by
Patrick Steinhardt
Committed by
GitHub
Jul 09, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #4718 from pks-t/pks/v0.26.5
Release v0.26.5
parents
ca55adaa
440a3636
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
70 additions
and
23 deletions
+70
-23
CHANGELOG.md
+23
-0
include/git2/version.h
+2
-2
src/delta.c
+23
-21
tests/delta/apply.c
+21
-0
tests/diff/binary.c
+1
-0
No files found.
CHANGELOG.md
View file @
a3e53c16
v0.26.5
-------
This is a security release fixing out-of-bounds reads when
reading objects from a packfile. This corresponds to
CVE-2018-10887 and CVE-2018-10888, which were both reported by
Riccardo Schirone.
When packing objects into a single so-called packfile, objects
may not get stored as complete copies but instead as deltas
against another object "base". A specially crafted delta object
could trigger an integer overflow and thus bypass our input
validation, which may result in copying memory before or after
the base object into the final deflated object. This may lead to
objects containing copies of system memory being written into the
object database. As the hash of those objects cannot be easily
controlled by the attacker, it is unlikely that any of those
objects will be valid and referenced by the commit graph.
Note that the error could also be triggered by the function
`git_apply__patch`
. But as this function is not in use outside of
our test suite, it is not a possible attack vector.
v0.26.4
-------
...
...
include/git2/version.h
View file @
a3e53c16
...
...
@@ -7,10 +7,10 @@
#ifndef INCLUDE_git_version_h__
#define INCLUDE_git_version_h__
#define LIBGIT2_VERSION "0.26.
4
"
#define LIBGIT2_VERSION "0.26.
5
"
#define LIBGIT2_VER_MAJOR 0
#define LIBGIT2_VER_MINOR 26
#define LIBGIT2_VER_REVISION
4
#define LIBGIT2_VER_REVISION
5
#define LIBGIT2_VER_PATCH 0
#define LIBGIT2_SOVERSION 26
...
...
src/delta.c
View file @
a3e53c16
...
...
@@ -539,7 +539,8 @@ int git_delta_apply(
*
out
=
NULL
;
*
out_len
=
0
;
/* Check that the base size matches the data we were given;
/*
* Check that the base size matches the data we were given;
* if not we would underflow while accessing data from the
* base object, resulting in data corruption or segfault.
*/
...
...
@@ -564,29 +565,32 @@ int git_delta_apply(
while
(
delta
<
delta_end
)
{
unsigned
char
cmd
=
*
delta
++
;
if
(
cmd
&
0x80
)
{
/* cmd is a copy instruction; copy from the base.
*/
size_t
off
=
0
,
len
=
0
;
if
(
cmd
&
0x01
)
off
=
*
delta
++
;
if
(
cmd
&
0x02
)
off
|=
*
delta
++
<<
8UL
;
if
(
cmd
&
0x04
)
off
|=
*
delta
++
<<
16UL
;
if
(
cmd
&
0x08
)
off
|=
*
delta
++
<<
24UL
;
if
(
cmd
&
0x10
)
len
=
*
delta
++
;
if
(
cmd
&
0x20
)
len
|=
*
delta
++
<<
8UL
;
if
(
cmd
&
0x40
)
len
|=
*
delta
++
<<
16UL
;
/* cmd is a copy instruction; copy from the base.
*/
size_t
off
=
0
,
len
=
0
,
end
;
#define ADD_DELTA(o, shift) { if (delta < delta_end) (o) |= ((unsigned) *delta++ << shift); else goto fail; }
if
(
cmd
&
0x01
)
ADD_DELTA
(
off
,
0UL
)
;
if
(
cmd
&
0x02
)
ADD_DELTA
(
off
,
8UL
)
;
if
(
cmd
&
0x04
)
ADD_DELTA
(
off
,
16UL
)
;
if
(
cmd
&
0x08
)
ADD_DELTA
(
off
,
24UL
)
;
if
(
cmd
&
0x10
)
ADD_DELTA
(
len
,
0UL
)
;
if
(
cmd
&
0x20
)
ADD_DELTA
(
len
,
8UL
)
;
if
(
cmd
&
0x40
)
ADD_DELTA
(
len
,
16UL
)
;
if
(
!
len
)
len
=
0x10000
;
#undef ADD_DELTA
if
(
base_len
<
off
+
len
||
res_sz
<
len
)
if
(
GIT_ADD_SIZET_OVERFLOW
(
&
end
,
off
,
len
)
||
base_len
<
end
||
res_sz
<
len
)
goto
fail
;
memcpy
(
res_dp
,
base
+
off
,
len
);
res_dp
+=
len
;
res_sz
-=
len
;
}
else
if
(
cmd
)
{
/
* cmd is a literal insert instruction; copy from
}
else
if
(
cmd
)
{
/*
* cmd is a literal insert instruction; copy from
* the delta stream itself.
*/
if
(
delta_end
-
delta
<
cmd
||
res_sz
<
cmd
)
...
...
@@ -596,10 +600,8 @@ int git_delta_apply(
res_dp
+=
cmd
;
res_sz
-=
cmd
;
}
else
{
/* cmd == 0 is reserved for future encodings.
*/
}
else
{
/* cmd == 0 is reserved for future encodings. */
goto
fail
;
}
}
...
...
tests/delta/apply.c
0 → 100644
View file @
a3e53c16
#include "clar_libgit2.h"
#include "delta.h"
void
test_delta_apply__read_at_off
(
void
)
{
unsigned
char
base
[
16
]
=
{
0
},
delta
[]
=
{
0x10
,
0x10
,
0xff
,
0xff
,
0xff
,
0xff
,
0xff
,
0x10
,
0x00
,
0x00
};
void
*
out
;
size_t
outlen
;
cl_git_fail
(
git_delta_apply
(
&
out
,
&
outlen
,
base
,
sizeof
(
base
),
delta
,
sizeof
(
delta
)));
}
void
test_delta_apply__read_after_limit
(
void
)
{
unsigned
char
base
[
16
]
=
{
0
},
delta
[]
=
{
0x10
,
0x70
,
0xff
};
void
*
out
;
size_t
outlen
;
cl_git_fail
(
git_delta_apply
(
&
out
,
&
outlen
,
base
,
sizeof
(
base
),
delta
,
sizeof
(
delta
)));
}
tests/diff/binary.c
View file @
a3e53c16
...
...
@@ -3,6 +3,7 @@
#include "git2/sys/diff.h"
#include "buffer.h"
#include "delta.h"
#include "filebuf.h"
#include "repository.h"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment