Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Fedora 27: FEDORA-2018-ca483ae3e0 Critical: Libgit2 Out-Of-Bounds Read

fedora
Calendar Grey August 19, 2018
Dist Fedora Esm H88
A pivotal security enhancement for Fedora 27's libgit2 resolves out-of-bounds read vulnerabilities associated with smart protocol ng packets.
This is a security release fixing out-of-bounds reads when processing smart- protocol "ng" packets

Summary

libgit2 is a portable, pure C implementation of the Git core methods

provided as a re-entrant linkable library with a solid API, allowing

you to write native speed custom Git applications in any language

with bindings.

This is a security release fixing out-of-bounds reads when processing smart-protocol "ng" packets. When parsing an "ng" packet, we keep track of both the

current position as well as the remaining length of the packet itself. But

instead of taking care not to exceed the length, we pass the current pointer's

position to strchr, which will search for a certain character until hitting NUL.

It is thus possible to create a crafted packet which doesn't contain a NUL byte

to trigger an out-of-bounds read. The issue was discovered by the oss-fuzz

project, issue 9406.

* Tue Aug 7 2018 Pete Walter - 0.26.6-1

- Update to 0.26.6

* Tue Jul 10 2018 Pete Walter - 0.26.5-1

- Update to 0.26.5 (CVE-2018-10887, CVE-2018-10888)

* Mon Jun 25 2018 Pete Walter - 0.26.4-1

- Update to 0.26.4 (CVE-2018-11235)

* Mon Mar 12 2018 Igor Gnatenko - 0.26.3-1

- Update to 0.26.3

* Wed Feb 7 2018 Fedora Release Engineering - 0.26.0-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Fri Feb 2 2018 Igor Gnatenko - 0.26.0-4

- Switch to %ldconfig_scriptlets

su -c 'dnf upgrade --advisory FEDORA-2018-ca483ae3e0' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CM5WCC5TEFHVNXMJDTRRAD6VFTJLCDA4/

Topics%20covered

Topics Covered

security advisory update critical Fedora out-of-bounds libgit2 smart protocol

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 27
Version: 0.26.6
Release: 1.fc27
URL: https://libgit2.org/
Summary: C implementation of the Git core methods as a library with a solid API

Topics%20covered

Topics Covered

security advisory update critical Fedora out-of-bounds libgit2 smart protocol

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here