Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 649984 (CVE-2018-8098, CVE-2018-8099)

Summary: <dev-libs/libgit2-0.26.2: multiple DoS vulnerabilities
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome, mgorny
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/libgit2/libgit2/releases/tag/v0.26.2
Whiteboard: B3 [noglsa cve]
Package list:
dev-libs/libgit2-0.26.2
Runtime testing required: No

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-03-09 07:28:58 UTC
Citing upstream release:

> This is a security release fixing memory handling issues when reading crafted
> repository index files. The issues allow for possible denial of service due to
> allocation of large memory and out-of-bound reads.

> As the index is never transferred via the network, exploitation requires an
> attacker to have access to the local repository.

I have already bumped to 0.26.2 and I suppose we'll want to fast-stabilize it.

@security, could you do your thing and advise?
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-09 15:05:10 UTC
(In reply to Michał Górny from comment #0)
> 
> @security, could you do your thing and advise?

Thanks Michał, setting whiteboard, and calling arches for stabilization. 

@Arches, please test and mark stable.
Comment 2 Agostino Sarubbo gentoo-dev 2018-03-10 18:25:46 UTC
amd64 stable
Comment 3 Thomas Deutschmann gentoo-dev 2018-03-11 02:18:11 UTC
x86 stable
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-03-20 14:49:21 UTC
CVE-2018-8099 (https://nvd.nist.gov/vuln/detail/CVE-2018-8099):
  Incorrect returning of an error code in the index.c:read_entry() function
  leads to a double free in libgit2 before v0.26.2, which allows an attacker
  to cause a denial of service via a crafted repository index file.

CVE-2018-8098 (https://nvd.nist.gov/vuln/detail/CVE-2018-8098):
  Integer overflow in the index.c:read_entry() function while decompressing a
  compressed prefix length in libgit2 before v0.26.2 allows an attacker to
  cause a denial of service (out-of-bounds read) via a crafted repository
  index file.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-20 14:50:48 UTC
GLSA Vote: No

Please remove vulnerable versions.

Thank you
Comment 6 Larry the Git Cow gentoo-dev 2018-03-20 16:16:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e09c049b001b8f3f930fb69a249563d5f2c3389

commit 4e09c049b001b8f3f930fb69a249563d5f2c3389
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-03-20 16:15:58 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-03-20 16:15:59 +0000

    dev-libs/libgit2: Drop old, vulnerable 0.26.0
    
    Bug: https://bugs.gentoo.org/649984

 dev-libs/libgit2/Manifest              |  1 -
 dev-libs/libgit2/libgit2-0.26.0.ebuild | 75 ----------------------------------
 2 files changed, 76 deletions(-)}