Bug 1411857 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130)

Summary: CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 libgit2: Two vulnerabilities fixed in libgit 0.25.1 and 0.24.6
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: i, ignatenko, veeti.paananen, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libgit2 0.25.1, libgit2 0.24.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-26 15:03:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1411859, 1411860    
Bug Blocks:    

Description Andrej Nemec 2017-01-10 16:09:09 UTC
Two new versions of libgit2 were released containing two security fixes. The first one performs extra sanitization for some edge cases in the Git Smart Protocol which can lead to attempting to parse outside of the buffer.

The second fix affects the certificate check callback. It provides a valid parameter to indicate whether the native cryptographic library considered the certificate to be correct. This parameter is always 1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate callback or if you do not take this value into account. This does affect you if you use pygit2 or git2go regardless of whether you specify a certificate check callback.

References:

http://seclists.org/oss-sec/2017/q1/49

External References:

https://github.com/libgit2/libgit2/releases/tag/v0.25.1
https://github.com/libgit2/libgit2/releases/tag/v0.24.6

Upstream patches:

https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a

Comment 1 Andrej Nemec 2017-01-10 16:09:48 UTC
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 1411859]
Affects: epel-all [bug 1411860]

Comment 2 Andrej Nemec 2017-01-11 09:07:04 UTC
CVE assignments:

http://seclists.org/oss-sec/2017/q1/59

Comment 3 Andrej Nemec 2017-04-12 07:18:32 UTC
CVE-2017-5338 and CVE-2017-5339 were rejected.

Name: CVE-2017-5338
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5338
Assigned: 20170110

** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This
candidate was withdrawn by its CNA. Further investigation showed that
it was not a security issue. Notes: none.

Name: CVE-2017-5339
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5339
Assigned: 20170110

** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This
candidate was withdrawn by its CNA. Further investigation showed that
it was not a security issue. Notes: none.