Arch Linux: ASA-201611-17 Low: Libgit2 Denial Of Service Threat

Arch Linux Security Advisory ASA-201611-17
=========================================
Severity: Low
Date    : 2016-11-16
CVE-ID  : CVE-2016-8568 CVE-2016-8569
Package : libgit2
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package libgit2 before version 1:0.24.3-1 is vulnerable to denial
of service.

Resolution
=========
Upgrade to 1:0.24.3-1.

# pacman -Syu "libgit2>=1:0.24.3-1"

The problems have been fixed upstream in version 0.24.3.

Workaround
=========
None.

Description
==========
- CVE-2016-8568 (denial of service)

A heap-based read out-of-bounds access has been discovered while
parsing a malformed object file.

- CVE-2016-8569 (denial of service)

A null pointer dereference has been discovered while showing a
malformed object file.

Impact
=====
A remote attacker is able to create specially crafted object files that
lead to an application crash resulting in denial of service.

References
=========
https://seclists.org/oss-sec/2016/q4/64
https://github.com/libgit2/libgit2/issues/3936
https://github.com/libgit2/libgit2/issues/3937
https://www.cve.org/CVERecord?id=CVE-2016-8568
https://www.cve.org/CVERecord?id=CVE-2016-8569