Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 662994

Summary: <dev-libs/libgit2-{0.26.6,0.27.4}: oob read in smart-protocol 'ng' packets
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome, mgorny
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
dev-libs/libgit2-0.26.6
 Runtime testing required: No

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-07 05:50:55 UTC 
From https://github.com/libgit2/libgit2/releases:

| This is a security release fixing out-of-bounds reads when
| processing smart-protocol "ng" packets.
| 
| When parsing an "ng" packet, we keep track of both the current position
| as well as the remaining length of the packet itself. But instead of
| taking care not to exceed the length, we pass the current pointer's
| position to strchr, which will search for a certain character until
| hitting NUL. It is thus possible to create a crafted packet which
| doesn't contain a NUL byte to trigger an out-of-bounds read.
| 
| The issue was discovered by the oss-fuzz project, issue 9406.

0.26.6 and 0.27.4 releases contain the fix; the older versions are vulnerable.
Comment 1 Larry the Git Cow gentoo-dev 2018-08-07 06:21:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72c1966bf06a5c6873074c7f5cebc27f6f8bb5c7

commit 72c1966bf06a5c6873074c7f5cebc27f6f8bb5c7
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-08-07 06:06:11 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-08-07 06:21:34 +0000

    dev-libs/libgit2: Sec-bump to 0.27.4
    
    Bug: https://bugs.gentoo.org/662994

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.27.4.ebuild | 80 ++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc124f9c519cb2cc6469c4f9bf774dd1f22d8fec

commit cc124f9c519cb2cc6469c4f9bf774dd1f22d8fec
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-08-07 05:51:57 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-08-07 06:21:34 +0000

    dev-libs/libgit2: Sec-bump to 0.26.6
    
    Bug: https://bugs.gentoo.org/662994

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.26.6.ebuild | 80 ++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-08-07 06:24:39 UTC 
Arch teams, please test and stabilize the fixed version.
Comment 3 Agostino Sarubbo gentoo-dev 2018-08-07 08:50:59 UTC 
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-07 22:44:03 UTC 
x86 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-08-07 22:45:25 UTC 
GLSA Vote: No!


@ Maintainer(s): Please cleanup and drop <dev-libs/libgit2-0.26.6 and <dev-libs/libgit2-0.27.4!
Comment 6 Larry the Git Cow gentoo-dev 2018-08-08 02:55:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c22582f2f5edd207a7d2dbe15d549701d04a3986

commit c22582f2f5edd207a7d2dbe15d549701d04a3986
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-08-08 02:55:02 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-08-08 02:55:02 +0000

    dev-libs/libgit2: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/662994

 dev-libs/libgit2/Manifest              |  2 -
 dev-libs/libgit2/libgit2-0.26.5.ebuild | 80 ----------------------------------
 dev-libs/libgit2/libgit2-0.27.3.ebuild | 80 ----------------------------------
 3 files changed, 162 deletions(-)