1. 24 Aug, 2019 1 commit
  2. 13 Aug, 2019 4 commits
    • Merge pull request #5202 from libgit2/users/ethomson/security_updates · 08cfa43d
      Security updates from 0.28.3
      Edward Thomson committed
    • commit_list: fix possible buffer overflow in `commit_quick_parse` · 57a9ccd5
      The function `commit_quick_parse` provides a way to quickly parse
      parts of a commit without storing or verifying most of its
      metadata. The first thing it does is calculating the number of
      parents by skipping "parent " lines until it finds the first
      non-parent line. Afterwards, this parent count is passed to
      `alloc_parents`, which will allocate an array to store all the
      parent.
      
      To calculate the amount of storage required for the parents
      array, `alloc_parents` simply multiplicates the number of parents
      with the respective elements's size. This already screams "buffer
      overflow", and in fact this problem is getting worse by the
      result being cast to an `uint32_t`.
      
      In fact, triggering this is possible: git-hash-object(1) will
      happily write a commit with multiple millions of parents for you.
      I've stopped at 67,108,864 parents as git-hash-object(1)
      unfortunately soaks up the complete object without streaming
      anything to disk and thus will cause an OOM situation at a later
      point. The point here is: this commit was about 4.1GB of size but
      compressed down to 24MB and thus easy to distribute.
      
      The above doesn't yet trigger the buffer overflow, thus. As the
      array's elements are all pointers which are 8 bytes on 64 bit, we
      need a total of 536,870,912 parents to trigger the overflow to
      `0`. The effect is that we're now underallocating the array
      and do an out-of-bound writes. As the buffer is kindly provided
      by the adversary, this may easily result in code execution.
      
      Extrapolating from the test file with 67m commits to the one with
      536m commits results in a factor of 8. Thus the uncompressed
      contents would be about 32GB in size and the compressed ones
      192MB. While still easily distributable via the network, only
      servers will have that amount of RAM and not cause an
      out-of-memory condition previous to triggering the overflow. This
      at least makes this attack not an easy vector for client-side use
      of libgit2.
      Patrick Steinhardt committed
    • config: validate ownership of C:\ProgramData\Git\config before using it · cb1439c9
      When the VirtualStore feature is in effect, it is safe to let random
      users write into C:\ProgramData because other users won't see those
      files. This seemed to be the case when we introduced support for
      C:\ProgramData\Git\config.
      
      However, when that feature is not in effect (which seems to be the case
      in newer Windows 10 versions), we'd rather not use those files unless
      they come from a trusted source, such as an administrator.
      
      This change imitates the strategy chosen by PowerShell's native OpenSSH
      port to Windows regarding host key files: if a system file is owned
      neither by an administrator, a system account, or the current user, it
      is ignored.
      Johannes Schindelin committed
  3. 11 Aug, 2019 2 commits
  4. 09 Aug, 2019 1 commit
  5. 07 Aug, 2019 1 commit
  6. 02 Aug, 2019 4 commits
  7. 01 Aug, 2019 11 commits
  8. 29 Jul, 2019 2 commits
  9. 26 Jul, 2019 7 commits
    • config_backend: rename internal structures · 37ebe9ad
      The internal backend structures are kind-of legacy and do not really
      speak for themselves. Rename them accordingly to make them easier to
      understand.
      Patrick Steinhardt committed
    • config_file: separate out read-only backend · 2bff84ba
      To further distinguish the file writeable and readonly backends,
      separate the readonly backend into its own "config_snapshot.c"
      implementation. The snapshot backend can be generically used to snapshot
      any type of backend.
      Patrick Steinhardt committed
    • config_file: fix cast of readonly backend · f0b10066
      In `backend_readonly_free`, the passed in config backend is being cast
      to a `diskfile_backend` instead of to a `diskfile_readonly_backend`.
      While this works out just fine because we only access its header values,
      which were shared between both backends, it is undefined behaviour.
      
      Use the correct type to fix this.
      Patrick Steinhardt committed
    • config_file: remove shared `diskfile_header` struct · a3159df8
      The `diskfile_header` structure is shared between both
      `diskfile_backend` and `diskfile_readonly_backend`. The separation and
      resulting casting is confusing at times and a source for programming
      errors.
      
      Remove the shared structure and inline them directly.
      Patrick Steinhardt committed
    • config_file: duplicate accessors for readonly backend · 271e5fba
      While most functions of the readonly configuration backend are
      implemented separately from the writeable configuration backend, the two
      functions `config_iterator_new` and `config_get` are shared between
      both. This sharing makes it necessary to have some shared data
      structures, which is the `diskfile_header` structure. Unfortunately, this
      makes the backends harder to grasp than necessary due to all the casting
      between structs and also quite error prone.
      
      Reimplement those functions for the readonly backends. As readonly
      backends cannot be refreshed anyway, we can remove the calls to
      `config_refresh` in there.
      Patrick Steinhardt committed
    • config_file: reimplement `config_readonly_open` generically · 4e7ce1fb
      The `config_readonly_open` function currently receives as input a
      diskfile backend and will copy its entries to a new snapshot. This is
      rather intimate, as we need to assume that the source config backend is
      in fact a diskfile entry. We can do better than this though by using
      generic methods to copy contents of the provided backend, e.g. by using
      a config iterator. This also allows us to decouple the read-only backend
      from the read-write backend.
      Patrick Steinhardt committed
    • config_entries: fix possible segfault when duplicating entries · 76182e84
      When duplicating a configuration entry, we allocate a new entry but do
      not verify that we get a valid pointer back. As we're dereferencing the
      pointer afterwards, we might thus run into a segfault in out-of-memory
      situations.
      
      Extract a new function `git_config_entries_dup_entry` that handles the
      complete entry duplication. Fix the error by using
      `GIT_ERROR_CHECK_ALLOC`.
      Patrick Steinhardt committed
  10. 24 Jul, 2019 2 commits
  11. 22 Jul, 2019 2 commits
  12. 21 Jul, 2019 3 commits
    • tests: remote: add test suite to test listing remotes · a213fec6
      There was a bug when calling `git_remote_list` that caused us to not
      re-read modified configurations when using `git_config_iterator`. This
      bug also impacted `git_remote_list`, which thus failed to provide an
      up-to-date list of remotes. Add a test suite remote::list with a single
      test that verifies we do the right thing.
      Jordan Wallet committed
    • config_file: refresh when creating an iterator · 2766b92d
      When creating a new iterator for a config file backend, then we should
      always make sure that we're up to date by calling `config_refresh`.
      Otherwise, we might not notice when another process has modified the
      configuration file and thus will represent outdated values.
      
      Add two tests to config::stress that verify that we get up-to-date
      values when reading configuration entries via `git_config_iterator`.
      Patrick Steinhardt committed
    • config_file: do not refresh read-only backends · 9fac8b78
      If calling `config_refresh` on a read-only configuration file backend,
      then we will segfault when comparing the timestamp of the file due to
      `path` being uninitialized. As a read-only snapshot should not be
      refreshed anyway and stay consistent, we can simply return early when
      calling `config_refresh` on a read-only snapshot.
      Patrick Steinhardt committed