Information about security advisories affecting libgit2 and the releases that provide resolution.
In case you think to have found a security issue with libgit2, please do not open a public issue. Instead, you can report the issue to the private mailing list email@example.com.
Ignores submodule configuration entries with names which attempt to perform path
traversal and can be exploited to write to an arbitrary path or for remote code
libgit2 itself is not vulnerable to RCE but tool implementations
which execute hooks after fetching might be. This is CVE-2018-11235.
It is forbidden for a
.gitmodules file to be a symlink which could cause a Git
implementation to write outside of the repository and and bypass the fsck checks
As the index is never transferred via the network, exploitation requires an attacker to have access to the local repository.
This does not affect you if you rely on a system-installed version of zlib. All users of v0.26.0 who use the bundled zlib should upgrade to this release.
libgit2 v0.24.6 and libgit2 v0.25.1, January 9th, 2017
Includes two fixes, one performs extra sanitization for some edge cases in the Git Smart Protocol which can lead to attempting to parse outside of the buffer.
The second fix affects the certificate check callback. It provides a
parameter to indicate whether the native cryptographic library considered the
certificate to be correct. This parameter is always
true before these
releases leading to a possible MITM.
This does not affect you if you do not use the custom certificate callback or if you do not take this value into account. This does affect you if you use pygit2 or git2go regardless of whether you specify a certificate check callback.