Bug 1598021 (CVE-2018-10887) - CVE-2018-10887 libgit2: integer overflow leads to out-of-bounds read in git_delta_apply, allowing to read before base array
Summary: CVE-2018-10887 libgit2: integer overflow leads to out-of-bounds read in git_d...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-10887
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1599319
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-04 07:36 UTC by Riccardo Schirone
Modified: 2021-02-17 00:00 UTC (History)
6 users (show)

Fixed In Version: libgit2 0.27.3, libgit2 0.26.5
Doc Type: ---
Doc Text:
It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.
Clone Of:
Environment:
Last Closed: 2018-07-11 12:44:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Riccardo Schirone 2018-07-04 07:36:14 UTC 
An unexpected sign extension in git_delta_apply function leads to an integer overflow in the bounds check, allowing to bypass it and to read some bytes before the `base` object. An attacker may use this flaw to get an information leak or cause a Denial of Service.
Comment 1 Riccardo Schirone 2018-07-04 07:36:17 UTC 
Acknowledgments:

Name: Riccardo Schirone (Product Security Red Hat)
Comment 3 Riccardo Schirone 2018-07-09 13:34:38 UTC 
Patch:
https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a
https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d22
Comment 4 Riccardo Schirone 2018-07-09 13:34:46 UTC 
External References:

https://github.com/libgit2/libgit2/releases/tag/v0.27.3
Comment 5 Riccardo Schirone 2018-07-09 13:36:06 UTC 
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 1599319]
Note You need to log in before you can comment on or make changes to this bug.