diff options
| author | Patrick Steinhardt <ps@pks.im> | 2018-08-03 11:24:14 +0200 |
|---|---|---|
| committer | Patrick Steinhardt <ps@pks.im> | 2018-08-06 08:57:37 +0200 |
| commit | 495bc486084d926cb655e03a4077efccb06361ba (patch) | |
| tree | 85d740a7e7ddcf8dbdf2fb49f3aa301b2b526c7b | |
| parent | 50705a2aa6f596d51e0ae1c5b2a616f8e71d1743 (diff) | |
| download | libgit2-495bc486084d926cb655e03a4077efccb06361ba.tar.gz | |
CHANGELOG.md: document security release v0.26.6
| -rw-r--r-- | CHANGELOG.md | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ec40983b..e51f76271 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +v0.26.6 +------- + +This is a security release fixing out-of-bounds reads when +processing smart-protocol "ng" packets. + +When parsing an "ng" packet, we keep track of both the current position +as well as the remaining length of the packet itself. But instead of +taking care not to exceed the length, we pass the current pointer's +position to `strchr`, which will search for a certain character until +hitting NUL. It is thus possible to create a crafted packet which +doesn't contain a NUL byte to trigger an out-of-bounds read. + +The issue was discovered by the oss-fuzz project, issue 9406. + v0.26.5 ------- |