Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605322 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130, CVE-2017-5338, CVE-2017-5339) - <dev-libs/libgit2-0.24.6: multiple vulnerabilities
Summary: <dev-libs/libgit2-0.24.6: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-10128, CVE-2016-10129, CVE-2016-10130, CVE-2017-5338, CVE-2017-5339
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-10 23:58 UTC by Thomas Deutschmann
Modified: 2017-01-20 14:02 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/libgit2-0.24.6
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-10 23:58:34 UTC
New libgit2 release

https://github.com/libgit2/libgit2/releases/tag/v0.25.1
https://github.com/libgit2/libgit2/releases/tag/v0.24.6

with the following two fixes:

[...] performs extra sanitization for some edge cases in the Git Smart
Protocol which can lead to attempting to parse outside of the buffer.

https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a


[...] fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library
considered the certificate to be correct. This parameter is always
1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate
callback or if you do not take this value into account. This does affect
you if you use pygit2 or git2go regardless of whether you specify a
certificate check callback.

https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22
https://github.com/libgit2/libgit2/commit/98d66240ecb7765e191da19b535c75c92ccc90fe
https://github.com/libgit2/libgit2/commit/3829ba2e710553893faf6336cc6b2f3fc17a293e
https://github.com/libgit2/libgit2/commit/2ac57aa89bde788173b54bd153430369deec64c0
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-01-11 00:03:42 UTC
@ Maintainer(s): Please bump to >=dev-libs/libgit2-0.24.6 and please let us know if it is ready for the stabilization or how long you want to wait.
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-01-19 11:47:20 UTC
commit df71a330892f9589ce479f9e10c94745f49b389b
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Thu Jan 19 12:46:19 2017 +0100

    dev-libs/libgit2: Version bump to 0.24.6
    
    Gentoo-Bug: 605322
    
    Package-Manager: portage-2.3.3


Please get it stable on amd64 and x86.
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-19 17:06:50 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-19 17:07:27 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 liva 2017-01-19 22:23:26 UTC
kde-apps/kate-16.12.1(9999) "ERROR: compile" with dev-libs:libgit2-0.24.6
with dev-libs:libgit2-9999 - OK
(+libressl)
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-01-19 22:30:09 UTC
(In reply to liva from comment #5)
> kde-apps/kate-16.12.1(9999) "ERROR: compile" with dev-libs:libgit2-0.24.6
> with dev-libs:libgit2-9999 - OK
> (+libressl)

Please file a new bug against kde-apps/kate.
Comment 7 liva 2017-01-19 23:15:18 UTC
> Please file a new bug against kde-apps/kate.

https://bugs.gentoo.org/show_bug.cgi?id=606556
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-01-20 13:51:31 UTC
Vulnerable versions cleaned up.
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-20 14:02:54 UTC
GLSA Vote: No