Fedora 28: libgit2 Security Update 2018-3e021c6c2e
Summary
libgit2 is a portable, pure C implementation of the Git core methods
provided as a re-entrant linkable library with a solid API, allowing
you to write native speed custom Git applications in any language
with bindings.
This is a security release fixing out-of-bounds reads when processing smart-protocol "ng" packets. When parsing an "ng" packet, we keep track of both the
current position as well as the remaining length of the packet itself. But
instead of taking care not to exceed the length, we pass the current pointer's
position to strchr, which will search for a certain character until hitting NUL.
It is thus possible to create a crafted packet which doesn't contain a NUL byte
to trigger an out-of-bounds read. The issue was discovered by the oss-fuzz
project, issue 9406.
* Tue Aug 7 2018 Pete Walter
- Update to 0.26.6
* Tue Jul 10 2018 Pete Walter
- Update to 0.26.5 (CVE-2018-10887, CVE-2018-10888)
* Mon Jun 25 2018 Pete Walter
- Update to 0.26.4 (CVE-2018-11235)
su -c 'dnf upgrade --advisory FEDORA-2018-3e021c6c2e' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAFODB7GRTYS4SCIO2GNYOE4NAC7AE3P/
FEDORA-2018-3e021c6c2e 2018-08-09 17:40:27.265194 Product : Fedora 28 Version : 0.26.6 Release : 1.fc28 URL : https://libgit2.org/ Summary : C implementation of the Git core methods as a library with a solid API Description : libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. This is a security release fixing out-of-bounds reads when processing smart-protocol "ng" packets. When parsing an "ng" packet, we keep track of both the current position as well as the remaining length of the packet itself. But instead of taking care not to exceed the length, we pass the current pointer's position to strchr, which will search for a certain character until hitting NUL. It is thus possible to create a crafted packet which doesn't contain a NUL byte to trigger an out-of-bounds read. The issue was discovered by the oss-fuzz project, issue 9406. * Tue Aug 7 2018 Pete Walter - 0.26.6-1 - Update to 0.26.6 * Tue Jul 10 2018 Pete Walter - 0.26.5-1 - Update to 0.26.5 (CVE-2018-10887, CVE-2018-10888) * Mon Jun 25 2018 Pete Walter - 0.26.4-1 - Update to 0.26.4 (CVE-2018-11235) su -c 'dnf upgrade --advisory FEDORA-2018-3e021c6c2e' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAFODB7GRTYS4SCIO2GNYOE4NAC7AE3P/
Change Log
References
Update Instructions
