Upstream made security fix releases of both branches: https://github.com/libgit2/libgit2/releases/tag/v0.26.5 https://github.com/libgit2/libgit2/releases/tag/v0.27.3 Citing the upstream description: This is a security release fixing out-of-bounds reads when reading objects from a packfile. This corresponds to CVE-2018-10887 and CVE-2018-10888, which were both reported by Riccardo Schirone. When packing objects into a single so-called packfile, objects may not get stored as complete copies but instead as deltas against another object "base". A specially crafted delta object could trigger an integer overflow and thus bypass our input validation, which may result in copying memory before or after the base object into the final deflated object. This may lead to objects containing copies of system memory being written into the object database. As the hash of those objects cannot be easily controlled by the attacker, it is unlikely that any of those objects will be valid and referenced by the commit graph.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa3b0b415cd0c9422036864134dcd6b6ef346528 commit fa3b0b415cd0c9422036864134dcd6b6ef346528 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-07-10 06:31:17 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-07-10 06:49:41 +0000 dev-libs/libgit2: Sec-bump to 0.26.5 & 0.27.3 Bug: https://bugs.gentoo.org/660834 dev-libs/libgit2/Manifest | 2 + dev-libs/libgit2/libgit2-0.26.5.ebuild | 80 ++++++++++++++++++++++++++++++++++ dev-libs/libgit2/libgit2-0.27.3.ebuild | 80 ++++++++++++++++++++++++++++++++++ 3 files changed, 162 insertions(+)
Arch teams, please test and stabilize the new release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac69fa3d5bd64b6d798b8ffb4869b646bd5bffa1 commit ac69fa3d5bd64b6d798b8ffb4869b646bd5bffa1 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-07-10 06:56:30 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-07-10 06:58:06 +0000 dev-libs/libgit2: Remove vulnerable 0.27.[12] Bug: https://bugs.gentoo.org/660834 dev-libs/libgit2/Manifest | 2 - dev-libs/libgit2/libgit2-0.27.1.ebuild | 80 ---------------------------------- dev-libs/libgit2/libgit2-0.27.2.ebuild | 80 ---------------------------------- 3 files changed, 162 deletions(-)
amd64 stable
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f43e9b1207efa9698ca98d2be4cf5125f5f269fd commit f43e9b1207efa9698ca98d2be4cf5125f5f269fd Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-07-18 22:08:21 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-07-18 22:11:19 +0000 dev-libs/libgit2: Drop vulnerable 0.26.4 Bug: https://bugs.gentoo.org/660834 dev-libs/libgit2/Manifest | 1 - dev-libs/libgit2/libgit2-0.26.4.ebuild | 80 ---------------------------------- 2 files changed, 81 deletions(-)
