Citing upstream release: > This is a security release fixing memory handling issues when reading crafted > repository index files. The issues allow for possible denial of service due to > allocation of large memory and out-of-bound reads. > As the index is never transferred via the network, exploitation requires an > attacker to have access to the local repository. I have already bumped to 0.26.2 and I suppose we'll want to fast-stabilize it. @security, could you do your thing and advise?
(In reply to Michał Górny from comment #0) > > @security, could you do your thing and advise? Thanks Michał, setting whiteboard, and calling arches for stabilization. @Arches, please test and mark stable.
amd64 stable
x86 stable
CVE-2018-8099 (https://nvd.nist.gov/vuln/detail/CVE-2018-8099): Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2 before v0.26.2, which allows an attacker to cause a denial of service via a crafted repository index file. CVE-2018-8098 (https://nvd.nist.gov/vuln/detail/CVE-2018-8098): Integer overflow in the index.c:read_entry() function while decompressing a compressed prefix length in libgit2 before v0.26.2 allows an attacker to cause a denial of service (out-of-bounds read) via a crafted repository index file.
GLSA Vote: No Please remove vulnerable versions. Thank you
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e09c049b001b8f3f930fb69a249563d5f2c3389 commit 4e09c049b001b8f3f930fb69a249563d5f2c3389 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2018-03-20 16:15:58 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2018-03-20 16:15:59 +0000 dev-libs/libgit2: Drop old, vulnerable 0.26.0 Bug: https://bugs.gentoo.org/649984 dev-libs/libgit2/Manifest | 1 - dev-libs/libgit2/libgit2-0.26.0.ebuild | 75 ---------------------------------- 2 files changed, 76 deletions(-)}