Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660834 (CVE-2018-10887, CVE-2018-10888) - <dev-libs/libgit2-{0.26.5, 0.27.3}: out-of-bounds reads when reading objects from a packfile (CVE-2018-10887, CVE-2018-10888)
Summary: <dev-libs/libgit2-{0.26.5, 0.27.3}: out-of-bounds reads when reading objects ...
Status: RESOLVED FIXED
Alias: CVE-2018-10887, CVE-2018-10888
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-10 06:23 UTC by Michał Górny
Modified: 2018-07-18 22:19 UTC (History)
2 users (show)

See Also:
Package list:
dev-libs/libgit2-0.26.5
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-07-10 06:23:20 UTC
Upstream made security fix releases of both branches:

https://github.com/libgit2/libgit2/releases/tag/v0.26.5
https://github.com/libgit2/libgit2/releases/tag/v0.27.3

Citing the upstream description:

This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone.

When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object "base". A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.
Comment 1 Larry the Git Cow gentoo-dev 2018-07-10 06:49:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa3b0b415cd0c9422036864134dcd6b6ef346528

commit fa3b0b415cd0c9422036864134dcd6b6ef346528
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-07-10 06:31:17 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-07-10 06:49:41 +0000

    dev-libs/libgit2: Sec-bump to 0.26.5 & 0.27.3
    
    Bug: https://bugs.gentoo.org/660834

 dev-libs/libgit2/Manifest              |  2 +
 dev-libs/libgit2/libgit2-0.26.5.ebuild | 80 ++++++++++++++++++++++++++++++++++
 dev-libs/libgit2/libgit2-0.27.3.ebuild | 80 ++++++++++++++++++++++++++++++++++
 3 files changed, 162 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-07-10 06:52:37 UTC
Arch teams, please test and stabilize the new release.
Comment 3 Larry the Git Cow gentoo-dev 2018-07-10 06:58:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac69fa3d5bd64b6d798b8ffb4869b646bd5bffa1

commit ac69fa3d5bd64b6d798b8ffb4869b646bd5bffa1
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-07-10 06:56:30 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-07-10 06:58:06 +0000

    dev-libs/libgit2: Remove vulnerable 0.27.[12]
    
    Bug: https://bugs.gentoo.org/660834

 dev-libs/libgit2/Manifest              |  2 -
 dev-libs/libgit2/libgit2-0.27.1.ebuild | 80 ----------------------------------
 dev-libs/libgit2/libgit2-0.27.2.ebuild | 80 ----------------------------------
 3 files changed, 162 deletions(-)
Comment 4 Agostino Sarubbo gentoo-dev 2018-07-11 14:28:15 UTC
amd64 stable
Comment 5 Thomas Deutschmann gentoo-dev 2018-07-15 14:25:02 UTC
x86 stable
Comment 6 Larry the Git Cow gentoo-dev 2018-07-18 22:11:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f43e9b1207efa9698ca98d2be4cf5125f5f269fd

commit f43e9b1207efa9698ca98d2be4cf5125f5f269fd
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-07-18 22:08:21 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-07-18 22:11:19 +0000

    dev-libs/libgit2: Drop vulnerable 0.26.4
    
    Bug: https://bugs.gentoo.org/660834

 dev-libs/libgit2/Manifest              |  1 -
 dev-libs/libgit2/libgit2-0.26.4.ebuild | 80 ----------------------------------
 2 files changed, 81 deletions(-)