656874 – <dev-libs/libgit2-{0.26.4,0.27.1} version bump solves CVE-2018-11235

Bug 656874 - <dev-libs/libgit2-{0.26.4,0.27.1} version bump solves CVE-2018-11235

Summary: <dev-libs/libgit2-{0.26.4,0.27.1} version bump solves CVE-2018-11235

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/libgit2/libgit2/re...
Whiteboard:	B4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-05-30 00:42 UTC by Ulenrich
Modified:	2018-07-03 00:51 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	dev-libs/libgit2-0.26.4
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ulenrich 2018-05-30 00:42:49 UTC

dev-libs/libgit2-0.27.1 version bump solves CVE-2018-11235
and should work with dev-libs/libressl-2.7.3 (unstable/masked)
(I have not emerged and tried yet )

Comment 1 Larry the Git Cow gentoo-dev

2018-05-30 06:38:28 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a9b88702436769620b4a8fb0b7fe675b9dc0ea38

commit a9b88702436769620b4a8fb0b7fe675b9dc0ea38
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-05-30 06:09:22 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-05-30 06:38:13 +0000

    dev-libs/libgit2: Bump to 0.27.1
    
    Bug: https://bugs.gentoo.org/656874

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.27.1.ebuild | 80 ++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)

Comment 2 Michał Górny archtester

2018-05-30 06:39:32 UTC

So, I've bumped it.  Now, the problem is that libgit2-glib + gitg still require 0.26*.  @gnome, any advice?

Comment 3 Mart Raudsepp gentoo-dev

2018-05-30 08:50:19 UTC

I'm not sure offhand what the progress is there, but I suspect the security fix could be easily backported to the 0.26 series in the meantime

Comment 4 Michał Górny archtester

2018-06-05 15:10:13 UTC

Upstream made 0.26.4 release.  I'm testing it right now, will merge and stabilize soonish.

Comment 5 Larry the Git Cow gentoo-dev

2018-06-05 15:27:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=713ebf5541b66ea8db94f775e5b681b338efe37d

commit 713ebf5541b66ea8db94f775e5b681b338efe37d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-06-05 15:23:29 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-06-05 15:27:05 +0000

    dev-libs/libgit2: Bump to 0.26.4 (security fix)
    
    Bug: https://bugs.gentoo.org/656874

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.26.4.ebuild | 80 ++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)

Comment 6 Michał Górny archtester

2018-06-05 15:27:56 UTC

Arch teams, please proceed.

Comment 7 Agostino Sarubbo gentoo-dev

2018-06-06 12:10:54 UTC

amd64 stable

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2018-06-06 23:26:31 UTC

x86 stable

Comment 9 Larry the Git Cow gentoo-dev

2018-07-02 10:46:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=509da37d06f83bcbad61063d536f7dad48671bbe

commit 509da37d06f83bcbad61063d536f7dad48671bbe
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2018-07-02 10:45:18 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2018-07-02 10:46:29 +0000

    dev-libs/libgit2: remove old with security vulnerabilities
    
    Bug: https://bugs.gentoo.org/656874
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 dev-libs/libgit2/Manifest              |  2 -
 dev-libs/libgit2/libgit2-0.26.3.ebuild | 80 ----------------------------------
 dev-libs/libgit2/libgit2-0.27.0.ebuild | 80 ----------------------------------
 3 files changed, 162 deletions(-)

Comment 10 Aaron Bauman (RETIRED) gentoo-dev

2018-07-03 00:51:27 UTC

GLSA Vote: No