[Bug 1991636] Re: [FFe]Update to libgit2 1.3.2

Tue Oct 11 22:32:31 UTC 2022

This bug was fixed in the package libgit2 - 1.3.2+dfsg.1-0ubuntu1

---------------
libgit2 (1.3.2+dfsg.1-0ubuntu1) kinetic; urgency=medium

  * New upstream bugfix version (LP: #1991636)
  * d/watch: switch to the GH tags page as the release page broke
    tarball links
  * d/p/fix-warnings-atomic-exchange.patch: cherry-picked from upstream
    to silence a particularly loud warning

 -- Simon Chopin <schopin at ubuntu.com>  Tue, 04 Oct 2022 09:55:21 +0200

** Changed in: libgit2 (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libgit2 in Ubuntu.
https://bugs.launchpad.net/bugs/1991636

Title:
  [FFe]Update to libgit2 1.3.2

Status in libgit2 package in Ubuntu:
  Fix Released

Bug description:
  1.3.1 and 1.3.2 are bugfix releases that basically catch up to git on
  some security behaviour. Here's the upstream changelog for those
  versions (note that the embedded zlib is removed when repacking):

  v1.3.2
  ------

  🔒 This is a security release with multiple changes.

  * This provides compatibility with git's changes to address CVE
  2022-29187. As a follow up to [CVE
  2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-
  announced/), now not only is the working directory of a non-bare
  repository examined for its ownership, but the `.git` directory and
  the `.git` file (if present) are also examined for their ownership.

  * A fix for compatibility with git's (new) behavior for CVE 2022-24765
  allows users on POSIX systems to access a git repository that is owned
  by them when they are running in `sudo`.

  * A fix for further compatibility with git's (existing) behavior for
  CVE 2022-24765 allows users on Windows to access a git repository that
  is owned by the Administrator when running with escalated privileges
  (using `runas Administrator`).

  * The bundled zlib is updated to v1.2.12, as prior versions had memory
  corruption bugs. It is not known that there is a security
  vulnerability in libgit2 based on these bugs, but we are updating to
  be cautious.

  All users of the v1.3 release line are recommended to upgrade.

  v1.3.1
  ------

  🔒 This is a security release to provide compatibility with git's
  changes to address [CVE
  2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-
  announced/).

  **libgit2 is not directly affected** by this vulnerability, because
  libgit2 does not directly invoke any executable. But we are providing
  these changes as a security release for any users that use libgit2 for
  repository discovery and then _also_ use git on that repository. In
  this release, we will now validate that the user opening the
  repository is the same user that owns the on-disk repository. This is
  to match git's behavior.

  In addition, we are providing several correctness fixes where invalid
  input can lead to a crash. These may prevent possible denial of
  service attacks. At this time there are not known exploits to these
  issues.

  Full list of changes:

  * Validate repository directory ownership (v1.3) by @ethomson in
  https://github.com/libgit2/libgit2/pull/6268

  All users of the v1.3 release line are recommended to upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgit2/+bug/1991636/+subscriptions