692166 – <dev-libs/libgit2-0.28.3: OOB writes or DOS using crafted commit objects

Bug 692166 - <dev-libs/libgit2-0.28.3: OOB writes or DOS using crafted commit objects

Summary: <dev-libs/libgit2-0.28.3: OOB writes or DOS using crafted commit objects

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2019-08-14 20:42 UTC by Michał Górny
Modified:	2019-08-20 20:20 UTC (History)
CC List:	3 users (show)

See Also:
Package list:	dev-libs/libgit2-0.28.3 amd64 arm64 x86 dev-python/pygit2-0.28.2 amd64 x86 dev-libs/libgit2-glib-0.28.0.1 amd64 x86 dev-vcs/gitg-3.32.1 amd64 x86
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2019-08-14 20:42:58 UTC

According to release notes [1]:

| A carefully constructed commit object with a very large number
| of parents may lead to potential out-of-bounds writes or
| potential denial of service.

<0.27.9, and <0.28.3 (of 0.28*) are affected.  Since we don't have the 0.27 branch, I'm going to bump to 0.28.3, and we'll probably want to stabilize it ASAP.

@gnome, is it ok to stabilize gitg-3.32*?

[1] https://github.com/libgit2/libgit2/releases/tag/v0.28.3

Comment 1 Larry the Git Cow gentoo-dev

2019-08-14 20:58:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20523a775ef79244df52d3cfa87dcafca094560d

commit 20523a775ef79244df52d3cfa87dcafca094560d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-08-14 20:58:14 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-14 20:58:41 +0000

    dev-libs/libgit2: Bump to 0.28.3
    
    Bug: https://bugs.gentoo.org/692166
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.28.3.ebuild | 72 ++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)

Comment 2 Michał Górny archtester

2019-08-15 07:15:26 UTC

Arch teams, please stabilize.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2019-08-16 22:39:34 UTC

x86 stable

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2019-08-16 22:53:22 UTC

arm64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-08-18 21:52:36 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 6 Larry the Git Cow gentoo-dev

2019-08-19 04:28:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a23e5ff54b17576fb7eb8a2f91257940d00342ec

commit a23e5ff54b17576fb7eb8a2f91257940d00342ec
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-08-19 04:23:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-19 04:28:41 +0000

    dev-libs/libgit2: Drop old
    
    Bug: https://bugs.gentoo.org/692166
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/libgit2/Manifest                          |  2 -
 ...libgit2-0.26.8-disable-oom-tests-on-32bit.patch | 64 -----------------
 dev-libs/libgit2/libgit2-0.26.8.ebuild             | 82 ----------------------
 dev-libs/libgit2/libgit2-0.28.2.ebuild             | 72 -------------------
 dev-libs/libgit2/metadata.xml                      |  2 -
 5 files changed, 222 deletions(-)