Skip to content

Commit 33effc0

Browse files
ethomsonethomson
authored
Merge pull request #1577 from libgit2/ethomson/0_25_1
Update for LibGit2Sharp v0.25.1
2 parents 47287bc + 28a0ab3 commit 33effc0

File tree

2 files changed

+23
-1
lines changed

2 files changed

+23
-1
lines changed

CHANGES.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,28 @@
1010
- Windows (x86/amd64): <https://ci.appveyor.com/project/libgit2/libgit2sharp>
1111
- Linux/Mac OS X: <https://travis-ci.org/libgit2/libgit2sharp>
1212

13+
## v0.25.1 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.25..v0.25.1))
14+
15+
This is a security release fixing insufficient validation of submodule
16+
names (CVE-2018-11235, reported by Etienne Stalmans) and disallows
17+
`.gitmodules` files as symlinks. This includes [libgit2
18+
v0.27.1](https://github.com/libgit2/libgit2/releases/tag/v0.27.1),
19+
whose release notes follow.
20+
21+
While submodule names come from the untrusted `.gitmodules` file, we
22+
blindly append the name to `$GIT_DIR/modules` to construct the final
23+
path of the submodule repository. In case the name contains e.g. `../`,
24+
an adversary would be able to escape your repository and write data at
25+
arbitrary paths. In accordance with git, we now enforce some rules for
26+
submodule names which will cause libgit2 to ignore these malicious names.
27+
28+
Adding a symlink as .gitmodules into the index from the workdir or
29+
checking out such files is not allowed as this can make a Git
30+
implementation write outside of the repository and bypass the fsck
31+
checks for CVE-2018-11235.
32+
33+
libgit2 (and LibGit2Sharp) is not susceptible to CVE-2018-11233.
34+
1335
## v0.25 - ([diff](https://github.com/libgit2/libgit2sharp/compare/v0.24..v0.25))
1436

1537
LibGit2Sharp is now .NET Core 2.0+ and .NET Framework compatible.

LibGit2Sharp/LibGit2Sharp.csproj

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
</ItemGroup>
3333

3434
<ItemGroup>
35-
<PackageReference Include="LibGit2Sharp.NativeBinaries" Version="[1.0.210]" PrivateAssets="none" />
35+
<PackageReference Include="LibGit2Sharp.NativeBinaries" Version="[1.0.217]" PrivateAssets="none" />
3636
<PackageReference Include="Nerdbank.GitVersioning" Version="2.1.23" PrivateAssets="all" />
3737
<PackageReference Include="SourceLink.Create.GitHub" Version="2.8.0" PrivateAssets="all" />
3838
<DotNetCliToolReference Include="dotnet-sourcelink-git" Version="2.8.0" />

0 commit comments

Comments
 (0)