A flaw was found in libgit2 before version 0.28.3. As described in upstream change logs, a carefully constructed commit object with a very large number of parents may lead to potential out-of-bounds writes or potential denial of service. Upstream patch: https://github.com/libgit2/libgit2/commit/3316f666566f768eb8aa8de521a5262524dc3424 References: https://github.com/libgit2/libgit2/releases/tag/v0.28.3
Created libgit2 tracking bugs for this issue: Affects: epel-6 [bug 1765166] Affects: fedora-all [bug 1765165]
There's a bug on libgit2 at alloc_parents() function. When using commit_quick_parse() function to parse commit information, it calculates the number of existing parent commits and pass this value to alloc_parents() as parameter. The allow_parents() function tries to allocate the required amount of memory by simply multiplying the number of parents requested by the size of the respective element's size, this result is cast to uint32_t type which makes the function prone to overflow. An attacker can leverage it by crafting a commit object with a big amount of parent commits in order to trigger the overflow in the memory amount, this will further implies in out-of-bounds write at commit_quick_parse() leading to Deny-of-Service issue or possible allowing arbitrary code execution under certain conditions.