libgit2 v0.27.10

This is a security release fixing the following issues:

• CVE-2019-1348: the fast-import stream command "feature
  export-marks=path" allows writing to arbitrary file paths. As
  libgit2 does not offer any interface for fast-import, it is not
  susceptible to this vulnerability.

• CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
  alternate filesystreams, it is possible to cause submodules to
  be written into pre-existing directories during a recursive
  clone using git. As libgit2 rejects cloning into non-empty
  directories by default, it is not susceptible to this
  vulnerability.

• CVE-2019-1350: recursive clones may lead to arbitrary remote
  code executing due to improper quoting of command line
  arguments. As libgit2 uses libssh2, which does not require us
  to perform command line parsing, it is not susceptible to this
  vulnerability.

• CVE-2019-1351: Windows provides the ability to substitute
  drive letters with arbitrary letters, including multi-byte
  Unicode letters. To fix any potential issues arising from
  interpreting such paths as relative paths, we have extended
  detection of DOS drive prefixes to accomodate for such cases.

• CVE-2019-1352: by using NTFS-style alternative file streams for
  the ".git" directory, it is possible to overwrite parts of the
  repository. While this has been fixed in the past for Windows,
  the same vulnerability may also exist on other systems that
  write to NTFS filesystems. We now reject any paths starting
  with ".git:" on all systems.

• CVE-2019-1353: by using NTFS-style 8.3 short names, it was
  possible to write to the ".git" directory and thus overwrite
  parts of the repository, leading to possible remote code
  execution. While this problem was already fixed in the past for
  Windows, other systems accessing NTFS filesystems are
  vulnerable to this issue too. We now enable NTFS protecions by
  default on all systems to fix this attack vector.

• CVE-2019-1354: on Windows, backslashes are not a valid part of
  a filename but are instead interpreted as directory separators.
  As other platforms allowed to use such paths, it was possible
  to write such invalid entries into a Git repository and was
  thus an attack vector to write into the ".git" dierctory. We
  now reject any entries starting with ".git" on all systems.

• CVE-2019-1387: it is possible to let a submodule's git
  directory point into a sibling's submodule directory, which may
  result in overwriting parts of the Git repository and thus lead
  to arbitrary command execution. As libgit2 doesn't provide any
  way to do submodule clones natively, it is not susceptible to
  this vulnerability. Users of libgit2 that have implemented
  recursive submodule clones manually are encouraged to review
  their implementation for this vulnerability.

libgit2 v0.27.9

This is a security release fixing the following issues:

• A carefully constructed commit object with a very large number
  of parents may lead to potential out-of-bounds writes or
  potential denial of service.

• The ProgramData configuration file is always read for compatibility
  with Git for Windows and Portable Git installations. The ProgramData
  location is not necessarily writable only by administrators, so we
  now ensure that the configuration file is owned by the administrator
  or the current user.

libgit2 v0.28.3

This is a security release fixing the following issues:

• A carefully constructed commit object with a very large number
  of parents may lead to potential out-of-bounds writes or
  potential denial of service.

• The ProgramData configuration file is always read for compatibility
  with Git for Windows and Portable Git installations. The ProgramData
  location is not necessarily writable only by administrators, so we
  now ensure that the configuration file is owned by the administrator
  or the current user.

libgit2 v0.28.2

This is a bugfix release with the following changes:

• Fix include directory ordering when using bundled dependencies.

• Fix infinite loop when searching for a non-existing repository with
  Windows-style paths including drive prefixes.

• Fix symlinks to directories on Windows.

• Fix paths with a trailing "/" not always being treated as
  directories when computing ignores.

• Fix false negatives when computing ignores where ignore rules
  that are a prefix to a negative ignore rule exist.

• Fix patches with CRLF line endings not being parsed correctly.

• Fix segfault when parsing patches with file addition (deletion)
  where the added (deleted) file name contains a space.

• Fix assertion failure when trying to write to a non-existent
  locked configuration file.

libgit2 v0.28.1

This is a bugfix release with the following change:

• The deprecated functions (git_buf_free and the giterr_ family of functions) are now exported properly. In the v0.28 release, they were not given the correct external attributes and they did not have the correct linkage visibility in the v0.28 library.

libgit2 v0.28.0

This is the first release of the v0.28 series, "Kummerspeck". The changelog follows.

Changes or improvements

• The library is now always built with cdecl calling conventions on
  Windows; the ability to build a stdcall library has been removed.

• Reference log creation now honors core.logallrefupdates=always.

• Fix some issues with the error-reporting in the OpenSSL backend.

• HTTP proxy support is now builtin; libcurl is no longer used to support
  proxies and is removed as a dependency.

• Certificate and credential callbacks can now return GIT_PASSTHROUGH
  to decline to act; libgit2 will behave as if there was no callback set
  in the first place.

• The line-ending filtering logic - when checking out files - has been
  updated to match newer git (>= git 2.9) for proper interoperability.

• Symbolic links are now supported on Windows when core.symlinks is set
  to true.

• Submodules with names which attempt to perform path traversal now have their
  configuration ignored. Such names were blindly appended to the
  $GIT_DIR/modules and a malicious name could lead to an attacker writing to
  an arbitrary location. This matches git's handling of CVE-2018-11235.

• Object validation is now performed during tree creation in the
  git_index_write_tree_to API.

• Configuration variable may now be specified on the same line as a section
  header; previously this was erroneously a parser error.

• When an HTTP server supports both NTLM and Negotiate authentication
  mechanisms, we would previously fail to authenticate with any mechanism.

• The GIT_OPT_SET_PACK_MAX_OBJECTS option can now set the maximum
  number of objects allowed in a packfile being downloaded; this can help
  limit the maximum memory used when fetching from an untrusted remote.

• Line numbers in diffs loaded from patch files were not being populated;
  they are now included in the results.

• The repository's index is reloaded from disk at the beginning of
  git_merge operations to ensure that it is up-to-date.

• Mailmap handling APIs have been introduced, and the new commit APIs
  git_commit_committer_with_mailmap and git_commit_author_with_mailmap
  will use the mailmap to resolve the committer and author information.
  In addition, blame will use the mailmap given when the
  GIT_BLAME_USE_MAILMAP option.

• Ignore handling for files in ignored folders would be ignored.

• Worktrees can now be backed by bare repositories.

• Trailing spaces are supported in .gitignore files, these spaces were
  previously (and erroneously) treated as part of the pattern.

• The library can now be built with mbedTLS support for HTTPS.

• The diff status character 'T' will now be presented by the
  git_diff_status_char API for diff entries that change type.

• Revision walks previously would sometimes include commits that should
  have been ignored; this is corrected.

• Revision walks are now more efficient when the output is unsorted;
  we now avoid walking all the way to the beginning of history unnecessarily.

• Error-handling around index extension loading has been fixed. We were
  previously always misreporting a truncated index (#4858).

API additions

• The index may now be iterated atomically using git_index_iterator.

• Remote objects can now be created with extended options using the
  git_remote_create_with_opts API.

• Diff objects can now be applied as changes to the working directory,
  index or both, emulating the git apply command. Additionally,
  git_apply_to_tree can apply those changes to a tree object as a
  fully in-memory operation.

• You can now swap out memory allocators via the
  GIT_OPT_SET_ALLOCATOR option with git_libgit2_opts().

• You can now ensure that functions do not discard unwritten changes to the
  index via the GIT_OPT_ENABLE_UNSAVED_INDEX_SAFETY option to
  git_libgit2_opts(). This will cause functions that implicitly re-read
  the index (eg, git_checkout) to fail if you have staged changes to the
  index but you have not written the index to disk. (Unless the checkout
  has the FORCE flag specified.)

  At present, this defaults to off, but we intend to enable this more
  broadly in the future, as a warning or error. We encourage you to
  examine your code to ensure that you are not relying on the current
  behavior that implicitly removes staged changes.

• Reference specifications can be parsed from an arbitrary string with
  the git_refspec_parse API.

• You can now get the name and path of worktrees using the
  git_worktree_name and git_worktree_path APIs, respectively.

• The ref field has been added to git_worktree_add_options to enable
  the creation of a worktree from a pre-existing branch.

• It's now possible to analyze merge relationships between any two
  references, not just against HEAD, using git_merge_analysis_for_ref.

API removals

• The git_buf_free API is deprecated; it has been renamed to
  git_buf_dispose for consistency. The git_buf_free API will be
  retained for backward compatibility for the foreseeable future.

• The git_otype enumeration and its members are deprecated and have
  been renamed for consistency. The GIT_OBJ_ enumeration values are
  now prefixed with GIT_OBJECT_. The old enumerations and macros
  will be retained for backward compatibility for the foreseeable future.

• Several index-related APIs have been renamed for consistency. The
  GIT_IDXENTRY_ enumeration values and macros have been renamed to
  be prefixed with GIT_INDEX_ENTRY_. The GIT_INDEXCAP enumeration
  values are now prefixed with GIT_INDEX_CAPABILITY_. The old
  enumerations and macros will be retained for backward compatibility
  for the foreseeable future.

• The error functions and enumeration values have been renamed for
  consistency. The giterr_ functions and values prefix have been
  renamed to be prefixed with git_error_; similarly, the GITERR_
  constants have been renamed to be prefixed with GIT_ERROR_.
  The old enumerations and macros will be retained for backward
  compatibility for the foreseeable future.

Breaking API changes

• The default checkout strategy changed from DRY_RUN to SAFE (#4531).

• Adding a symlink as .gitmodules into the index from the workdir or checking
  out such files is not allowed as this can make a Git implementation write
  outside of the repository and bypass the fsck checks for CVE-2018-11235.

libgit2 v0.28.0 RC1

This is a release candidate for libgit2 v0.28.0.

libgit2 v0.27.8

This is a bugfix release with the following changes:

• Negative gitignore rules should match git's behavior. For example,
  given a gitignore rule of *.test and a second gitignore rule of
  !dir/*, we would incorrect apply the negation rules. With this
  fix, we behave like git.

• Always provide custom transport implementations with the URL in the
  action function. v0.27.7 included a change that would erroneously
  provide NULL to subsequent calls to the action function. This is
  fixed.

• Fix several bugs parsing malformed commits and malformed trees.

• Allow configuration file directory locations to be specified as
  /dev/null.

• Ensure that when an error occurs reading from the loose ODB backend
  that we do not segfault.

• Ensure that when a filter stream application fails that we do not
  segfault.

• Ensure that any configuration reading failures are propagated while
  loading submodule information.

• Peel annotated tags fully when creating an annotated commit.

• Ensure that numbers are parsed correctly in a variety of places.

libgit2 v0.27.7

This is a bugfix release with the following changes or improvements:

• Our continuous integration environment has switched from Travis and
  AppVeyor to Azure Pipelines CI.

• Fix adding worktrees for bare repositories.

• Fix parsed patches not computing the old respectively new line
  numbers correctly.

• Fix parsing configuration variables which do not have a section.

• Fix a zero-byte allocation when trying to detect file renames and
  copies of a diff without any hunks.

• Fix a zero-byte allocation when trying to resize or duplicate
  vectors.

• Fix return value when trying to unlock worktrees which aren't
  locked.

• Fix returning an unitialized error code when preparing a revision
  walk without any pushed commits.

• Fix return value of git_remote_lookup when lookup of
  "remote.$remote.tagopt" fails.

• Fix the revision walk always labelling commits as interesting due
  to a mishandling of the commit date.

• Fix the packbuilder inserting uninteresting blobs when adding a
  tree containing references to such blobs.

• Ignore unsupported authentication schemes in HTTP transport.

• Improve performane of git_remote_prune.

• Fix detection of whether qsort_r has a BSD or GNU function
  signature.

• Fix detection of iconv if it is provided by libc.

libgit2 v0.27.6

This as a security release fixing the following list of issues:

• The function family git__strtol is used to parse integers
  from a buffer. As the functions do not take a buffer length as
  argument, they will scan either until the end of the current
  number or until a NUL byte is encountered. Many callers have
  been misusing the function and called it on potentially
  non-NUL-terminated buffers, resulting in possible out-of-bounds
  reads. Callers have been fixed to use git__strntol functions
  instead and git__strtol functions were removed.

• The function git__strntol64 relied on the undefined behavior
  of signed integer overflows. While the code tried to detect
  such overflows after they have happened, this is unspecified
  behavior and may lead to weird behavior on uncommon platforms.

• In the case where git__strntol32 was unable to parse an
  integer because it doesn't fit into an int32_t, it printed an
  error message containing the string that is currently being
  parsed. The code didn't truncate the string though, which
  caused it to print the complete string until a NUL byte is
  encountered and not only the currently parsed number. In case
  where the string was not NUL terminated, this could have lead
  to an out-of-bounds read.

• When parsing tags, all unknown fields that appear before the
  tag message are skipped. This skipping is done by using a plain
  strstr(buffer, "\n\n") to search for the two newlines that
  separate tag fields from tag message. As it is not possible to
  supply a buffer length to strstr, this call may skip over the
  buffer's end and thus result in an out of bounds read. As
  strstr may return a pointer that is out of bounds, the
  following computation of buffer_end - buffer will overflow
  and result in an allocation of an invalid length. Note that
  when reading objects from the object database, we make sure to
  always NUL terminate them, making the use of strstr safe.

• When parsing the "encoding" field of a commit, we may perform
  an out of bounds read due to using git__prefixcmp instead of
  git__prefixncmp. This can result in the parsed commit object
  containing uninitialized data in both its message encoding and
  message fields. Note that when reading objects from the object
  database, we make sure to always NUL terminate them, making the
  use of strstr safe.