diff options
author | Patrick Steinhardt <ps@pks.im> | 2018-08-03 11:24:14 +0200 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2018-08-06 08:57:37 +0200 |
commit | 495bc486084d926cb655e03a4077efccb06361ba (patch) | |
tree | 85d740a7e7ddcf8dbdf2fb49f3aa301b2b526c7b | |
parent | 50705a2aa6f596d51e0ae1c5b2a616f8e71d1743 (diff) | |
download | libgit2-495bc486084d926cb655e03a4077efccb06361ba.tar.gz |
CHANGELOG.md: document security release v0.26.6
-rw-r--r-- | CHANGELOG.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ec40983b..e51f76271 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +v0.26.6 +------- + +This is a security release fixing out-of-bounds reads when +processing smart-protocol "ng" packets. + +When parsing an "ng" packet, we keep track of both the current position +as well as the remaining length of the packet itself. But instead of +taking care not to exceed the length, we pass the current pointer's +position to `strchr`, which will search for a certain character until +hitting NUL. It is thus possible to create a crafted packet which +doesn't contain a NUL byte to trigger an out-of-bounds read. + +The issue was discovered by the oss-fuzz project, issue 9406. + v0.26.5 ------- |