Two new versions of libgit2 were released containing two security fixes. The first one performs extra sanitization for some edge cases in the Git Smart Protocol which can lead to attempting to parse outside of the buffer. The second fix affects the certificate check callback. It provides a valid parameter to indicate whether the native cryptographic library considered the certificate to be correct. This parameter is always 1/true before this fix leading to a possible MITM. This does not affect you if you do not use the custom certificate callback or if you do not take this value into account. This does affect you if you use pygit2 or git2go regardless of whether you specify a certificate check callback. References: http://seclists.org/oss-sec/2017/q1/49 External References: https://github.com/libgit2/libgit2/releases/tag/v0.25.1 https://github.com/libgit2/libgit2/releases/tag/v0.24.6 Upstream patches: https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834 https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a
Created libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1411859] Affects: epel-all [bug 1411860]
CVE assignments: http://seclists.org/oss-sec/2017/q1/59
CVE-2017-5338 and CVE-2017-5339 were rejected. Name: CVE-2017-5338 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5338 Assigned: 20170110 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. Name: CVE-2017-5339 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5339 Assigned: 20170110 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.