Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 692166 - <dev-libs/libgit2-0.28.3: OOB writes or DOS using crafted commit objects
Summary: <dev-libs/libgit2-0.28.3: OOB writes or DOS using crafted commit objects
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-14 20:42 UTC by Michał Górny
Modified: 2019-08-20 20:20 UTC (History)
3 users (show)

See Also:
Package list:
dev-libs/libgit2-0.28.3 amd64 arm64 x86 dev-python/pygit2-0.28.2 amd64 x86 dev-libs/libgit2-glib-0.28.0.1 amd64 x86 dev-vcs/gitg-3.32.1 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-08-14 20:42:58 UTC 
According to release notes [1]:

| A carefully constructed commit object with a very large number
| of parents may lead to potential out-of-bounds writes or
| potential denial of service.

<0.27.9, and <0.28.3 (of 0.28*) are affected.  Since we don't have the 0.27 branch, I'm going to bump to 0.28.3, and we'll probably want to stabilize it ASAP.

@gnome, is it ok to stabilize gitg-3.32*?

[1] https://github.com/libgit2/libgit2/releases/tag/v0.28.3
Comment 1 Larry the Git Cow gentoo-dev 2019-08-14 20:58:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20523a775ef79244df52d3cfa87dcafca094560d

commit 20523a775ef79244df52d3cfa87dcafca094560d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-08-14 20:58:14 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-14 20:58:41 +0000

    dev-libs/libgit2: Bump to 0.28.3
    
    Bug: https://bugs.gentoo.org/692166
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.28.3.ebuild | 72 ++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-08-15 07:15:26 UTC 
Arch teams, please stabilize.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-16 22:39:34 UTC 
x86 stable
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-08-16 22:53:22 UTC 
arm64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-08-18 21:52:36 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Larry the Git Cow gentoo-dev 2019-08-19 04:28:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a23e5ff54b17576fb7eb8a2f91257940d00342ec

commit a23e5ff54b17576fb7eb8a2f91257940d00342ec
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-08-19 04:23:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-19 04:28:41 +0000

    dev-libs/libgit2: Drop old
    
    Bug: https://bugs.gentoo.org/692166
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/libgit2/Manifest                          |  2 -
 ...libgit2-0.26.8-disable-oom-tests-on-32bit.patch | 64 -----------------
 dev-libs/libgit2/libgit2-0.26.8.ebuild             | 82 ----------------------
 dev-libs/libgit2/libgit2-0.28.2.ebuild             | 72 -------------------
 dev-libs/libgit2/metadata.xml                      |  2 -
 5 files changed, 222 deletions(-)