Ubuntu
libgit2 package

[FFe]Update to libgit2 1.3.2

Bug #1991636 reported by Simon Chopin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libgit2 (Ubuntu)
Fix Released
High
Simon Chopin

Bug Description

1.3.1 and 1.3.2 are bugfix releases that basically catch up to git on some security behaviour. Here's the upstream changelog for those versions (note that the embedded zlib is removed when repacking):

v1.3.2
------

🔒 This is a security release with multiple changes.

* This provides compatibility with git's changes to address CVE 2022-29187. As a follow up to [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/), now not only is the working directory of a non-bare repository examined for its ownership, but the `.git` directory and the `.git` file (if present) are also examined for their ownership.

* A fix for compatibility with git's (new) behavior for CVE 2022-24765 allows users on POSIX systems to access a git repository that is owned by them when they are running in `sudo`.

* A fix for further compatibility with git's (existing) behavior for CVE 2022-24765 allows users on Windows to access a git repository that is owned by the Administrator when running with escalated privileges (using `runas Administrator`).

* The bundled zlib is updated to v1.2.12, as prior versions had memory corruption bugs. It is not known that there is a security vulnerability in libgit2 based on these bugs, but we are updating to be cautious.

All users of the v1.3 release line are recommended to upgrade.

v1.3.1
------

🔒 This is a security release to provide compatibility with git's changes to address [CVE 2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/).

**libgit2 is not directly affected** by this vulnerability, because libgit2 does not directly invoke any executable. But we are providing these changes as a security release for any users that use libgit2 for repository discovery and then _also_ use git on that repository. In this release, we will now validate that the user opening the repository is the same user that owns the on-disk repository. This is to match git's behavior.

In addition, we are providing several correctness fixes where invalid input can lead to a crash. These may prevent possible denial of service attacks. At this time there are not known exploits to these issues.

Full list of changes:

* Validate repository directory ownership (v1.3) by @ethomson in https://github.com/libgit2/libgit2/pull/6268

All users of the v1.3 release line are recommended to upgrade.

Tags: patch
Revision history for this message
Simon Chopin (schopin) wrote :

Attached is the debdiff for this change.

See https://launchpad.net/~schopin/+archive/ubuntu/test-ppa/+sourcepub/13981804/+listing-archive-extra for successful build logs.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Graham Inggs (ginggs) wrote :

This looks good for a FFe, please go ahead, and remember to close LP: #1991636 in debian/changelog.

Changed in libgit2 (Ubuntu):
status: Confirmed → Triaged
Simon Chopin (schopin)
Changed in libgit2 (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libgit2 - 1.3.2+dfsg.1-0ubuntu1

---------------
libgit2 (1.3.2+dfsg.1-0ubuntu1) kinetic; urgency=medium

  * New upstream bugfix version (LP: #1991636)
  * d/watch: switch to the GH tags page as the release page broke
    tarball links
  * d/p/fix-warnings-atomic-exchange.patch: cherry-picked from upstream
    to silence a particularly loud warning

 -- Simon Chopin <email address hidden> Tue, 04 Oct 2022 09:55:21 +0200

Changed in libgit2 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.