662994 – <dev-libs/libgit2-{0.26.6,0.27.4}: oob read in smart-protocol 'ng' packets

Bug 662994 - <dev-libs/libgit2-{0.26.6,0.27.4}: oob read in smart-protocol 'ng' packets

Summary: <dev-libs/libgit2-{0.26.6,0.27.4}: oob read in smart-protocol 'ng' packets

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2018-08-07 05:50 UTC by Michał Górny
Modified:	2018-11-23 21:27 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	dev-libs/libgit2-0.26.6
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2018-08-07 05:50:55 UTC

From https://github.com/libgit2/libgit2/releases:

| This is a security release fixing out-of-bounds reads when
| processing smart-protocol "ng" packets.
| 
| When parsing an "ng" packet, we keep track of both the current position
| as well as the remaining length of the packet itself. But instead of
| taking care not to exceed the length, we pass the current pointer's
| position to strchr, which will search for a certain character until
| hitting NUL. It is thus possible to create a crafted packet which
| doesn't contain a NUL byte to trigger an out-of-bounds read.
| 
| The issue was discovered by the oss-fuzz project, issue 9406.

0.26.6 and 0.27.4 releases contain the fix; the older versions are vulnerable.

Comment 1 Larry the Git Cow gentoo-dev

2018-08-07 06:21:42 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72c1966bf06a5c6873074c7f5cebc27f6f8bb5c7

commit 72c1966bf06a5c6873074c7f5cebc27f6f8bb5c7
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-08-07 06:06:11 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-08-07 06:21:34 +0000

    dev-libs/libgit2: Sec-bump to 0.27.4
    
    Bug: https://bugs.gentoo.org/662994

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.27.4.ebuild | 80 ++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc124f9c519cb2cc6469c4f9bf774dd1f22d8fec

commit cc124f9c519cb2cc6469c4f9bf774dd1f22d8fec
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-08-07 05:51:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-08-07 06:21:34 +0000

    dev-libs/libgit2: Sec-bump to 0.26.6
    
    Bug: https://bugs.gentoo.org/662994

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.26.6.ebuild | 80 ++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)

Comment 2 Michał Górny archtester

2018-08-07 06:24:39 UTC

Arch teams, please test and stabilize the fixed version.

Comment 3 Agostino Sarubbo gentoo-dev

2018-08-07 08:50:59 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2018-08-07 22:44:03 UTC

x86 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-08-07 22:45:25 UTC

GLSA Vote: No!


@ Maintainer(s): Please cleanup and drop <dev-libs/libgit2-0.26.6 and <dev-libs/libgit2-0.27.4!

Comment 6 Larry the Git Cow gentoo-dev

2018-08-08 02:55:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c22582f2f5edd207a7d2dbe15d549701d04a3986

commit c22582f2f5edd207a7d2dbe15d549701d04a3986
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-08-08 02:55:02 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-08-08 02:55:02 +0000

    dev-libs/libgit2: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/662994

 dev-libs/libgit2/Manifest              |  2 -
 dev-libs/libgit2/libgit2-0.26.5.ebuild | 80 ----------------------------------
 dev-libs/libgit2/libgit2-0.27.3.ebuild | 80 ----------------------------------
 3 files changed, 162 deletions(-)