Bug 1411857 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130) - CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 libgit2: Two vulnerabilities fixed in libgit 0.25.1 and 0.24.6
Summary: CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 libgit2: Two vulnerabilities fix...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-10128, CVE-2016-10129, CVE-2016-10130
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1411859 1411860
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-10 16:09 UTC by Andrej Nemec
Modified: 2019-09-29 14:03 UTC (History)
4 users (show)

Fixed In Version: libgit2 0.25.1, libgit2 0.24.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-26 15:03:13 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-10 16:09:09 UTC
Two new versions of libgit2 were released containing two security fixes. The first one performs extra sanitization for some edge cases in the Git Smart Protocol which can lead to attempting to parse outside of the buffer.

The second fix affects the certificate check callback. It provides a valid parameter to indicate whether the native cryptographic library considered the certificate to be correct. This parameter is always 1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate callback or if you do not take this value into account. This does affect you if you use pygit2 or git2go regardless of whether you specify a certificate check callback.

References:

http://seclists.org/oss-sec/2017/q1/49

External References:

https://github.com/libgit2/libgit2/releases/tag/v0.25.1
https://github.com/libgit2/libgit2/releases/tag/v0.24.6

Upstream patches:

https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a

Comment 1 Andrej Nemec 2017-01-10 16:09:48 UTC
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 1411859]
Affects: epel-all [bug 1411860]

Comment 2 Andrej Nemec 2017-01-11 09:07:04 UTC
CVE assignments:

http://seclists.org/oss-sec/2017/q1/59

Comment 3 Andrej Nemec 2017-04-12 07:18:32 UTC
CVE-2017-5338 and CVE-2017-5339 were rejected.

Name: CVE-2017-5338
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5338
Assigned: 20170110

** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This
candidate was withdrawn by its CNA. Further investigation showed that
it was not a security issue. Notes: none.

Name: CVE-2017-5339
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5339
Assigned: 20170110

** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This
candidate was withdrawn by its CNA. Further investigation showed that
it was not a security issue. Notes: none.


Note You need to log in before you can comment on or make changes to this bug.