Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692166

Summary: <dev-libs/libgit2-0.28.3: OOB writes or DOS using crafted commit objects
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome, ikelos, mgorny
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [noglsa]
Package list:
dev-libs/libgit2-0.28.3 amd64 arm64 x86 dev-python/pygit2-0.28.2 amd64 x86 dev-libs/libgit2-glib-0.28.0.1 amd64 x86 dev-vcs/gitg-3.32.1 amd64 x86
 Runtime testing required: ---

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-08-14 20:42:58 UTC 
According to release notes [1]:

| A carefully constructed commit object with a very large number
| of parents may lead to potential out-of-bounds writes or
| potential denial of service.

<0.27.9, and <0.28.3 (of 0.28*) are affected.  Since we don't have the 0.27 branch, I'm going to bump to 0.28.3, and we'll probably want to stabilize it ASAP.

@gnome, is it ok to stabilize gitg-3.32*?

[1] https://github.com/libgit2/libgit2/releases/tag/v0.28.3
Comment 1 Larry the Git Cow gentoo-dev 2019-08-14 20:58:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20523a775ef79244df52d3cfa87dcafca094560d

commit 20523a775ef79244df52d3cfa87dcafca094560d
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-08-14 20:58:14 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-14 20:58:41 +0000

    dev-libs/libgit2: Bump to 0.28.3
    
    Bug: https://bugs.gentoo.org/692166
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/libgit2/Manifest              |  1 +
 dev-libs/libgit2/libgit2-0.28.3.ebuild | 72 ++++++++++++++++++++++++++++++++++
 2 files changed, 73 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-08-15 07:15:26 UTC 
Arch teams, please stabilize.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-08-16 22:39:34 UTC 
x86 stable
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-08-16 22:53:22 UTC 
arm64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-08-18 21:52:36 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Larry the Git Cow gentoo-dev 2019-08-19 04:28:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a23e5ff54b17576fb7eb8a2f91257940d00342ec

commit a23e5ff54b17576fb7eb8a2f91257940d00342ec
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-08-19 04:23:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-19 04:28:41 +0000

    dev-libs/libgit2: Drop old
    
    Bug: https://bugs.gentoo.org/692166
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/libgit2/Manifest                          |  2 -
 ...libgit2-0.26.8-disable-oom-tests-on-32bit.patch | 64 -----------------
 dev-libs/libgit2/libgit2-0.26.8.ebuild             | 82 ----------------------
 dev-libs/libgit2/libgit2-0.28.2.ebuild             | 72 -------------------
 dev-libs/libgit2/metadata.xml                      |  2 -
 5 files changed, 222 deletions(-)