Bug 1765164

Summary: libgit2: Out-of-bounds write via commits with large number of parents
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bcl, i, icq, igor.raits, walter.pete
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libgit2 0.28.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:12:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1765165, 1765166, 1770895    
Bug Blocks: 1765169    

Description Pedro Sampaio 2019-10-24 12:51:39 UTC 
A flaw was found in libgit2 before version 0.28.3. As described in upstream change logs, a carefully constructed commit object with a very large number of parents may lead to potential out-of-bounds writes or potential denial of service.

Upstream patch:

https://github.com/libgit2/libgit2/commit/3316f666566f768eb8aa8de521a5262524dc3424

References:

https://github.com/libgit2/libgit2/releases/tag/v0.28.3
Comment 1 Pedro Sampaio 2019-10-24 12:51:55 UTC 
Created libgit2 tracking bugs for this issue:

Affects: epel-6 [bug 1765166]
Affects: fedora-all [bug 1765165]
Comment 4 Marco Benatto 2019-11-11 13:40:33 UTC 
There's a bug on libgit2 at alloc_parents() function. When using commit_quick_parse() function to parse commit information, it calculates the number of existing parent commits and pass this value to alloc_parents() as parameter. The allow_parents() function tries to allocate the required amount of memory by simply multiplying the number of parents requested by the size of the respective element's size, this result is cast to uint32_t type which makes the function prone to overflow. An attacker can leverage it by crafting a commit object with a big amount of parent commits in order to trigger the overflow in the memory amount, this will further implies in out-of-bounds write at commit_quick_parse() leading to Deny-of-Service issue or possible allowing arbitrary code execution under certain conditions.