Mageia 2019-0391: libgit2 security update

    Date15 Dec 2019
    CategoryMageia
    157
    Posted ByLinuxSecurity Advisories
    libgit2 has been updated to version 0.28.4 to fix several security issues: * A carefully constructed commit object with a very large number of parents may lead to potential out-of-bounds writes or potential denial of service.
    MGASA-2019-0391 - Updated libgit2 packages fix security vulnerabilities
    
    Publication date: 15 Dec 2019
    URL: https://advisories.mageia.org/MGASA-2019-0391.html
    Type: security
    Affected Mageia releases: 7
    CVE: CVE-2019-1348,
         CVE-2019-1350,
         CVE-2019-1387
    
    libgit2 has been updated to version 0.28.4 to fix several security issues:
    
    * A carefully constructed commit object with a very large number
      of parents may lead to potential out-of-bounds writes or
      potential denial of service.
    
    * CVE-2019-1348: the fast-import stream command "feature
      export-marks=path" allows writing to arbitrary file paths. As
      libgit2 does not offer any interface for fast-import, it is not
      susceptible to this vulnerability.
    
    * CVE-2019-1350: recursive clones may lead to arbitrary remote
      code executing due to improper quoting of command line
      arguments. As libgit2 uses libssh2, which does not require us
      to perform command line parsing, it is not susceptible to this
      vulnerability.
    
    * CVE-2019-1387: it is possible to let a submodule's git
      directory point into a sibling's submodule directory, which may
      result in overwriting parts of the Git repository and thus lead
      to arbitrary command execution. As libgit2 doesn't provide any
      way to do submodule clones natively, it is not susceptible to
      this vulnerability. Users of libgit2 that have implemented
      recursive submodule clones manually are encouraged to review
     their implementation for this vulnerability.
    
    References:
    - https://bugs.mageia.org/show_bug.cgi?id=25348
    - https://github.com/libgit2/libgit2/releases/tag/v0.28.3
    - https://github.com/libgit2/libgit2/releases/tag/v0.28.4
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387
    
    SRPMS:
    - 7/core/libgit2-0.28.4-1.mga7
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"82","type":"x","order":"1","pct":56.16,"resources":[]},{"id":"88","title":"Should be more technical","votes":"22","type":"x","order":"2","pct":15.07,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"42","type":"x","order":"3","pct":28.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.