Fixes CVE-2018-10887 and CVE-2018-10888: out-of-bounds reads when
reading objects from a packfile.
Also fixes out-of-bounds reads when processing smart-protocol "ng"
packets (no known CVE yet).
Drop upstream patch.
Cc: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-By: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By using a patch from upstream's master branch.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes a security vulnerability similar to git's CVE-2018-11235
This release changes some configuration options, so tweak them
accordingly.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libgit2 depends on zlib. If libgit2's build system does not find a
system zlib, then it compiles a bundled version of it, which is not
really great. So instead, add zlib as a mandatory dependency.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
[Thomas:
- Do not select BR2_PACKAGE_ZLIB, because zlib is an optional
dependency.
- Handle optional dependencies in a more usual way in libgit2.mk:
group the addition in _DEPENDENCIES and in _CONF_OPTS for a given
library together.
- libgit2 can optionally use libssh2, not libssh.
- Add the optional dependency on zlib.
- Always pass USE_ICONV=ON, the detection works perfectly fine, with
both a C library providing iconv support built-in, and with
libiconv. If neither provides iconv, it gets disabled automatically
as expected.
- Add libiconv as an optional dependency.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
