Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596758 (CVE-2016-8568, CVE-2016-8569) - <dev-libs/libgit2-0.24.2: two invalid memory accesses (CVE-2016-{8568,8569})
Summary: <dev-libs/libgit2-0.24.2: two invalid memory accesses (CVE-2016-{8568,8569})
Status: RESOLVED FIXED
Alias: CVE-2016-8568, CVE-2016-8569
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 599264
Blocks:
  Show dependency tree
 
Reported: 2016-10-10 10:35 UTC by Agostino Sarubbo
Modified: 2017-01-20 14:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-10 10:35:03 UTC
From ${URL} :

We recently reported two invalid memory accesses in the last revision
of libgit2:

* Read out-of-bounds in git_oid_nfmt:
https://github.com/libgit2/libgit2/issues/3936

* DoS using a null pointer derreference in git_commit_message:
https://github.com/libgit2/libgit2/issues/3937

The developers are preparing a patch to harden object parsing in libgit2 here:

https://github.com/libgit2/libgit2/pull/3956



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2016-10-10 22:39:53 UTC
commit f9e4d518a020417d1cb9a0cd539f28bcb63e995b
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Tue Oct 11 00:35:21 2016 +0200

    dev-libs/libgit2: Security bump to 0.24.2
    
    Gentoo-Bug: 596758
    
    Package-Manager: portage-2.3.1


@arches please stabilize
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2016-10-10 22:42:37 UTC
Needs to be cleaned up/updated for cleanup:

app-editors/atom-1.10.2:        =dev-libs/libgit2-0.23*:=[ssh]
app-editors/atom-1.7.4-r4:      =dev-libs/libgit2-0.23*:=[ssh]
app-editors/atom-1.8.0-r1:      =dev-libs/libgit2-0.23*:=[ssh]

dev-libs/libgit2-glib-0.22.8:   <dev-libs/libgit2-0.23
dev-libs/libgit2-glib-0.23.10-r1:       <dev-libs/libgit2-0.24

dev-python/pygit2-0.20.3:RDEPEND="=dev-libs/libgit2-$(get_version_component_range 1-2)*"
dev-python/pygit2-0.21.4-r1:    =dev-libs/libgit2-$(get_version_component_range 1-2)*
dev-python/pygit2-0.22.1:       =dev-libs/libgit2-$(get_version_component_range 1-2)*
dev-python/pygit2-0.23.0:       =dev-libs/libgit2-$(get_version_component_range 1-2)*
dev-python/pygit2-0.23.3:       =dev-libs/libgit2-$(get_version_component_range 1-2)*

dev-vcs/gitg-3.18.0-r1: <dev-libs/libgit2-glib-0.24.0

www-apps/blohg-0.13-r1: git? ( =dev-python/pygit2-0.20* )
www-apps/blohg-9999:    git? ( =dev-python/pygit2-0.21* )
Comment 3 Agostino Sarubbo gentoo-dev 2016-10-11 15:51:47 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-20 13:47:04 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2016-11-20 14:05:17 UTC
CC'ing atom maintainers, please clean up your package.

app-editors/atom-1.10.2:        =dev-libs/libgit2-0.23*:=[ssh]
app-editors/atom-1.7.4-r4:      =dev-libs/libgit2-0.23*:=[ssh]
app-editors/atom-1.8.0-r1:      =dev-libs/libgit2-0.23*:=[ssh]
Comment 6 Elvis Pranskevichus 2016-11-20 18:00:19 UTC
app-editors/atom cleanup patch is here: https://github.com/gentoo/gentoo/pull/2836
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-05 00:36:25 UTC
@ Manuel: Still waiting for your cleanup.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-12-05 01:08:59 UTC
Cleaned:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b64de1489263019495731928a65665e3ab3daba

GLSA Vote: No
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-12-05 01:49:59 UTC
Reverting cleanup...
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2016-12-27 09:15:22 UTC
please clean...
Comment 11 Manuel Rüger (RETIRED) gentoo-dev 2016-12-27 15:22:27 UTC
(In reply to Aaron Bauman from comment #10)
> please clean...

dev-util/geany-plugins-1.25:    git? ( <dev-libs/libgit2-0.23.0 )
Comment 12 Manuel Rüger (RETIRED) gentoo-dev 2017-01-20 13:51:26 UTC
Vulnerable versions cleaned up.