[pkgsrc/pkgsrc-2018Q3]: pkgsrc/devel/libgit2 Pullup ticket #5848 - requested ...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/2aa24a1eef4b
branches:  pkgsrc-2018Q3
changeset: 334100:2aa24a1eef4b
user:      spz <spz%pkgsrc.org@localhost>
date:      Sat Oct 20 16:18:20 2018 +0000

description:
Pullup ticket #5848 - requested by bsiegert
devel/libgit2: security update

Revisions pulled up:
- devel/libgit2/Makefile                                        1.29
- devel/libgit2/distinfo                                        1.14

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   taca
   Date:           Thu Oct 18 14:43:01 UTC 2018

   Modified Files:
           pkgsrc/devel/libgit2: Makefile distinfo

   Log Message:
   devel/libgit2: update to 0.27.5

   libgit2 0.27.5 (2018/10/5)

   This is a security release fixing the following list of issues:

   * Submodule URLs and paths with a leading "-" are now ignored.  This is due to
     the recently discovered CVE-2018-17456, which can lead to arbitrary code
     execution in upstream git.  While libgit2 itself is not vulnerable, it can
     be used to inject options in an implementation which performs a recursive
     clone by executing an external command.

   * When running repack while doing repo writes, packfile_load__cb() could see
     some temporary files in the directory that were bigger than the usual, and
     makes memcmp overflow on the p->pack_name string.  This issue was reported
     and fixed by bisho.

   * The configuration file parser used unbounded recursion to parse multiline
     variables, which could lead to a stack overflow.  The issue was reported by
     the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.

   * The fix to the unbounded recursion introduced a memory leak in the config
     parser.  While this leak was never in a public release, the oss-fuzz project
     reported this as issue 10127.  The fix was implemented by Nelson Elhage and
     Patrick Steinhardt.

   * When parsing "ok" packets received via the smart protocol, our parsing code
     did not correctly verify the bounds of the packets, which could result in a
     heap-buffer overflow.  The issue was reported by the oss-fuzz project, issue
     9749 and fixed by Patrick Steinhardt.

   * The parsing code for the smart protocol has been tightened in general,
     fixing heap-buffer overflows when parsing the packet type as well as for
     "ACK" and "unpack" packets.  The issue was discovered and fixed by Patrick
     Steinhardt.

   * Fixed potential integer overflows on platforms with 16 bit integers when
     parsing packets for the smart protocol.  The issue was discovered and fixed
     by Patrick Steinhardt.

   * Fixed potential NULL pointer dereference when parsing configuration files
     which have "include.path" or "includeIf..path" statements without a value.


   To generate a diff of this commit:
   cvs rdiff -u -r1.28 -r1.29 pkgsrc/devel/libgit2/Makefile
   cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/libgit2/distinfo

diffstat:

 devel/libgit2/Makefile |   4 ++--
 devel/libgit2/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (27 lines):

diff -r b9081be1c357 -r 2aa24a1eef4b devel/libgit2/Makefile
--- a/devel/libgit2/Makefile    Sat Oct 20 16:12:15 2018 +0000
+++ b/devel/libgit2/Makefile    Sat Oct 20 16:18:20 2018 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.28 2018/09/23 15:11:42 taca Exp $
+# $NetBSD: Makefile,v 1.28.2.1 2018/10/20 16:18:20 spz Exp $
 
-DISTNAME=      libgit2-0.27.4
+DISTNAME=      libgit2-0.27.5
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libgit2/}
 GITHUB_TAG=    v${PKGVERSION_NOREV}
diff -r b9081be1c357 -r 2aa24a1eef4b devel/libgit2/distinfo
--- a/devel/libgit2/distinfo    Sat Oct 20 16:12:15 2018 +0000
+++ b/devel/libgit2/distinfo    Sat Oct 20 16:18:20 2018 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.13 2018/09/23 15:11:42 taca Exp $
+$NetBSD: distinfo,v 1.13.2.1 2018/10/20 16:18:20 spz Exp $
 
-SHA1 (libgit2-0.27.4.tar.gz) = 47392972e2c9689dbce0cf68b1e678fcc9915c2a
-RMD160 (libgit2-0.27.4.tar.gz) = 6efb878890e638d2f780f80351827a46b0a63510
-SHA512 (libgit2-0.27.4.tar.gz) = d27db86eb1b9f0d4057f8538ba1985ee76c3ca106e57d417fa9bff79d575f91a07ad28693112b58dc1d61d68116a82e6a145f12276158f2806b6c4964d741f61
-Size (libgit2-0.27.4.tar.gz) = 4772254 bytes
+SHA1 (libgit2-0.27.5.tar.gz) = dc339e9dd54316bd44b2769b52d5e30943e90dcf
+RMD160 (libgit2-0.27.5.tar.gz) = 864a350940288b3bdbdc90601cb24aed46ce7cbe
+SHA512 (libgit2-0.27.5.tar.gz) = 318b981456d55f60f8aa1897f1f70274329e48f09769b661eb4bbe76399071eca0fbc7deacb3191db16bc89dba8cc69a64adaf8cbc65e34a65b6e72ca122e21f
+Size (libgit2-0.27.5.tar.gz) = 4775158 bytes