Bugzilla – Bug 1003810
VUL-0: CVE-2016-8568, CVE-2016-8569: libgit2: invalid memory accesses parsing object files
Last modified: 2019-05-22 00:35:09 UTC
References: http://seclists.org/oss-sec/2016/q4/59 ==================================================== Hi, We recently reported two invalid memory accesses in the last revision of libgit2: * Read out-of-bounds in git_oid_nfmt: https://github.com/libgit2/libgit2/issues/3936 * DoS using a null pointer derreference in git_commit_message: https://github.com/libgit2/libgit2/issues/3937 The developers are preparing a patch to harden object parsing in libgit2 here: https://github.com/libgit2/libgit2/pull/3956 Please assign one or more CVE if suitable. Regards, Gustavo. ==================================================== https://software.opensuse.org/package/libgit2
bugbot adjusting priority
in sle12 sp2 ga tree and opensuse
Scott, please submit for openSUSE: devel:libraries:c_c++/libgit2 for openSUSE:Factory openSUSE:13.2:Update/libgit2 openSUSE:Leap:42.1:Update/libgit2 openSUSE:Backports:SLE-12-SP1/libgit2
SUSE-SU-2016:2969-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1003810 CVE References: CVE-2016-8568,CVE-2016-8569 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libgit2-0.24.1-3.1
HPJ - can you look into the versions listed in comment#6 and submit patches if necessary (devel:libraries:c_c++ has already been fixed). The code has changed quite a bit for some of the older versions.
openSUSE-SU-2016:3097-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1003810 CVE References: CVE-2016-8568,CVE-2016-8569 Sources used: openSUSE Leap 42.2 (src): libgit2-0.24.1-3.1
Ping for the submissions below: (In reply to Andreas Stieger from comment #6) > openSUSE:13.2:Update/libgit2 Couple of days left in maintenance for this one. > openSUSE:Leap:42.1:Update/libgit2 ..months > openSUSE:Backports:SLE-12-SP1/libgit2 https://build.opensuse.org/request/show/449636
This is an autogenerated message for OBS integration: This bug (1003810) was mentioned in https://build.opensuse.org/request/show/449822 13.2 / libgit2 https://build.opensuse.org/request/show/449835 42.1 / libgit2
openSUSE-SU-2017:0184-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1003810 CVE References: CVE-2016-8568,CVE-2016-8569 Sources used: openSUSE 13.2 (src): libgit2-0.21.5-2.6.1
openSUSE-SU-2017:0195-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1003810 CVE References: CVE-2016-8568,CVE-2016-8569 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): libgit2-0.24.3-6.1
All submissions are done - assigning to security team.
openSUSE-SU-2017:0208-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1003810 CVE References: CVE-2016-8568,CVE-2016-8569 Sources used: openSUSE Leap 42.1 (src): libgit2-0.22.1-5.1
releaqsewd