Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605322 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130, CVE-2017-5338, CVE-2017-5339) - <dev-libs/libgit2-0.24.6: multiple vulnerabilities
Summary: <dev-libs/libgit2-0.24.6: multiple vulnerabilities
Alias: CVE-2016-10128, CVE-2016-10129, CVE-2016-10130, CVE-2017-5338, CVE-2017-5339
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2017-01-10 23:58 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-01-20 14:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 23:58:34 UTC
New libgit2 release

with the following two fixes:

[...] performs extra sanitization for some edge cases in the Git Smart
Protocol which can lead to attempting to parse outside of the buffer.

[...] fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library
considered the certificate to be correct. This parameter is always
1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate
callback or if you do not take this value into account. This does affect
you if you use pygit2 or git2go regardless of whether you specify a
certificate check callback.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-11 00:03:42 UTC
@ Maintainer(s): Please bump to >=dev-libs/libgit2-0.24.6 and please let us know if it is ready for the stabilization or how long you want to wait.
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2017-01-19 11:47:20 UTC
commit df71a330892f9589ce479f9e10c94745f49b389b
Author: Manuel Rüger <>
Date:   Thu Jan 19 12:46:19 2017 +0100

    dev-libs/libgit2: Version bump to 0.24.6
    Gentoo-Bug: 605322
    Package-Manager: portage-2.3.3

Please get it stable on amd64 and x86.
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-19 17:06:50 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-19 17:07:27 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 liva 2017-01-19 22:23:26 UTC
kde-apps/kate-16.12.1(9999) "ERROR: compile" with dev-libs:libgit2-0.24.6
with dev-libs:libgit2-9999 - OK
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-19 22:30:09 UTC
(In reply to liva from comment #5)
> kde-apps/kate-16.12.1(9999) "ERROR: compile" with dev-libs:libgit2-0.24.6
> with dev-libs:libgit2-9999 - OK
> (+libressl)

Please file a new bug against kde-apps/kate.
Comment 7 liva 2017-01-19 23:15:18 UTC
> Please file a new bug against kde-apps/kate.
Comment 8 Manuel Rüger (RETIRED) gentoo-dev 2017-01-20 13:51:31 UTC
Vulnerable versions cleaned up.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-01-20 14:02:54 UTC
GLSA Vote: No