Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649984 (CVE-2018-8098, CVE-2018-8099) - <dev-libs/libgit2-0.26.2: multiple DoS vulnerabilities
Summary: <dev-libs/libgit2-0.26.2: multiple DoS vulnerabilities
Alias: CVE-2018-8098, CVE-2018-8099
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2018-03-09 07:28 UTC by Michał Górny
Modified: 2018-03-20 16:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: No
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-03-09 07:28:58 UTC
Citing upstream release:

> This is a security release fixing memory handling issues when reading crafted
> repository index files. The issues allow for possible denial of service due to
> allocation of large memory and out-of-bound reads.

> As the index is never transferred via the network, exploitation requires an
> attacker to have access to the local repository.

I have already bumped to 0.26.2 and I suppose we'll want to fast-stabilize it.

@security, could you do your thing and advise?
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-09 15:05:10 UTC
(In reply to Michał Górny from comment #0)
> @security, could you do your thing and advise?

Thanks Michał, setting whiteboard, and calling arches for stabilization. 

@Arches, please test and mark stable.
Comment 2 Agostino Sarubbo gentoo-dev 2018-03-10 18:25:46 UTC
amd64 stable
Comment 3 Thomas Deutschmann gentoo-dev 2018-03-11 02:18:11 UTC
x86 stable
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2018-03-20 14:49:21 UTC
CVE-2018-8099 (
  Incorrect returning of an error code in the index.c:read_entry() function
  leads to a double free in libgit2 before v0.26.2, which allows an attacker
  to cause a denial of service via a crafted repository index file.

CVE-2018-8098 (
  Integer overflow in the index.c:read_entry() function while decompressing a
  compressed prefix length in libgit2 before v0.26.2 allows an attacker to
  cause a denial of service (out-of-bounds read) via a crafted repository
  index file.
Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-20 14:50:48 UTC
GLSA Vote: No

Please remove vulnerable versions.

Thank you
Comment 6 Larry the Git Cow gentoo-dev 2018-03-20 16:16:10 UTC
The bug has been referenced in the following commit(s):

commit 4e09c049b001b8f3f930fb69a249563d5f2c3389
Author:     Michał Górny <>
AuthorDate: 2018-03-20 16:15:58 +0000
Commit:     Michał Górny <>
CommitDate: 2018-03-20 16:15:59 +0000

    dev-libs/libgit2: Drop old, vulnerable 0.26.0

 dev-libs/libgit2/Manifest              |  1 -
 dev-libs/libgit2/libgit2-0.26.0.ebuild | 75 ----------------------------------
 2 files changed, 76 deletions(-)}