Stay Secure with the Latest Linux Advisories

security advisoryupdatecritical

Fedora 27: FEDORA-2018-ca483ae3e0 Critical: Libgit2 Out-Of-Bounds Read

This is a security release fixing out-of-bounds reads when processing smart- protocol "ng" packets. When parsing an "ng" packet, we keep track of both the current position as well as the remaining length of the packet itself. But instead of taking care not to exceed the length, we pass the current pointer's position to strchr, which will search for a certain character until hitting NUL.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-ca483ae3e0 2018-08-19 00:21:11.228914 --------------------------------------------------------------------------------Name : libgit2 Product : Fedora 27 Version : 0.26.6 Release : 1.fc27 URL : https://libgit2.org/ Summary : C implementation of the Git core methods as a library with a solid API Description : libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. --------------------------------------------------------------------------------Update Information: This is a security release fixing out-of-bounds reads when processing smart-protocol "ng" packets. When parsing an "ng" packet, we keep track of both the current position as well as the remaining length of the packet itself. But instead of taking care not to exceed the length, we pass the current pointer's position to strchr, which will search for a certain character until hitting NUL. It is thus possible to create a crafted packet which doesn't contain a NUL byte to trigger an out-of-bounds read. The issue was discovered by the oss-fuzz project, issue 9406. --------------------------------------------------------------------------------ChangeLog: * Tue Aug 7 2018 Pete Walter - 0.26.6-1 - Update to 0.26.6 * Tue Jul 10 2018 Pete Walter - 0.26.5-1 - Update to 0.26.5 (CVE-2018-10887, CVE-2018-10888) * Mon Jun 25 2018 PeteWalter - 0.26.4-1 - Update to 0.26.4 (CVE-2018-11235) * Mon Mar 12 2018 Igor Gnatenko - 0.26.3-1 - Update to 0.26.3 * Wed Feb 7 2018 Fedora Release Engineering - 0.26.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Fri Feb 2 2018 Igor Gnatenko - 0.26.0-4 - Switch to %ldconfig_scriptlets --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-ca483ae3e0' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./message/CM5WCC5TEFHVNXMJDTRRAD6VFTJLCDA4/ . A pivotal security enhancement for Fedora 27's libgit2 resolves out-of-bounds read vulnerabilities associated with smart protocol ng packets.. Fedora Update, Libgit2 Security, Out-of-Bounds Fix, Smart Protocol Issue. . Severity: Critical. LinuxSecurity.com Team

Aug 19, 2018 •Critical Fedora