Bug 605322 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130, CVE-2017-5338, CVE-2017-5339)

Summary:	<dev-libs/libgit2-0.24.6: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Thomas Deutschmann (RETIRED) <whissi>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	liva, mrueg
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2017/01/10/5
Whiteboard:	B3 [noglsa cve]
Package list:	=dev-libs/libgit2-0.24.6	Runtime testing required:	---

Description Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-10 23:58:34 UTC

New libgit2 release

https://github.com/libgit2/libgit2/releases/tag/v0.25.1
https://github.com/libgit2/libgit2/releases/tag/v0.24.6

with the following two fixes:

[...] performs extra sanitization for some edge cases in the Git Smart
Protocol which can lead to attempting to parse outside of the buffer.

https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a


[...] fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library
considered the certificate to be correct. This parameter is always
1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate
callback or if you do not take this value into account. This does affect
you if you use pygit2 or git2go regardless of whether you specify a
certificate check callback.

https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22
https://github.com/libgit2/libgit2/commit/98d66240ecb7765e191da19b535c75c92ccc90fe
https://github.com/libgit2/libgit2/commit/3829ba2e710553893faf6336cc6b2f3fc17a293e
https://github.com/libgit2/libgit2/commit/2ac57aa89bde788173b54bd153430369deec64c0

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-11 00:03:42 UTC

@ Maintainer(s): Please bump to >=dev-libs/libgit2-0.24.6 and please let us know if it is ready for the stabilization or how long you want to wait.

Comment 2 Manuel Rüger (RETIRED) gentoo-dev

2017-01-19 11:47:20 UTC

commit df71a330892f9589ce479f9e10c94745f49b389b
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Thu Jan 19 12:46:19 2017 +0100

    dev-libs/libgit2: Version bump to 0.24.6
    
    Gentoo-Bug: 605322
    
    Package-Manager: portage-2.3.3


Please get it stable on amd64 and x86.

Comment 3 Agostino Sarubbo gentoo-dev

2017-01-19 17:06:50 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2017-01-19 17:07:27 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 5 liva 2017-01-19 22:23:26 UTC

kde-apps/kate-16.12.1(9999) "ERROR: compile" with dev-libs:libgit2-0.24.6
with dev-libs:libgit2-9999 - OK
(+libressl)

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-19 22:30:09 UTC

(In reply to liva from comment #5)
> kde-apps/kate-16.12.1(9999) "ERROR: compile" with dev-libs:libgit2-0.24.6
> with dev-libs:libgit2-9999 - OK
> (+libressl)

Please file a new bug against kde-apps/kate.

Comment 7 liva 2017-01-19 23:15:18 UTC

> Please file a new bug against kde-apps/kate.

https://bugs.gentoo.org/show_bug.cgi?id=606556

Comment 8 Manuel Rüger (RETIRED) gentoo-dev

2017-01-20 13:51:31 UTC

Vulnerable versions cleaned up.

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2017-01-20 14:02:54 UTC

GLSA Vote: No