Debian Long Term Support / LTS Security Information / 2022 / Security Information -- DLA-2936-1 libgit2

Debian Security Advisory

DLA-2936-1 libgit2 -- LTS security update

Date Reported:

21 Mar 2022

Affected Packages:

libgit2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 892961, Bug 892962, Bug 903508, Bug 903509.
In Mitre's CVE dictionary: CVE-2018-8098, CVE-2018-8099, CVE-2018-10887, CVE-2018-10888, CVE-2018-15501, CVE-2020-12278, CVE-2020-12279.

More information:

Multiple vulnerabilities were found in libgit2, a low-level Git library, and are as follows:

• CVE-2018-8098

  Integer overflow in the index.c:read_entry() function while decompressing a compressed prefix length in libgit2 before v0.26.2 allows an attacker to cause a denial of service (out-of-bounds read) via a crafted repository index file.

• CVE-2018-8099

  Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2 before v0.26.2, which allows an attacker to cause a denial of service via a crafted repository index file.

• CVE-2018-10887

  It has been discovered that an unexpected sign extension in git_delta_apply function in delta-apply.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.

• CVE-2018-10888

  A missing check in git_delta_apply function in delta-apply.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service.

• CVE-2018-15501

  In ng_pkt in transports/smart_pkt.c in libgit2, a remote attacker can send a crafted smart-protocol ng packet that lacks a '\0' byte to trigger an out-of-bounds read that leads to DoS.

• CVE-2020-12278

  path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.

• CVE-2020-12279

  checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.

For Debian 9 stretch, these problems have been fixed in version 0.25.1+really0.24.6-1+deb9u1.

We recommend that you upgrade your libgit2 packages.

For the detailed security status of libgit2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgit2

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS