Bug 26464

Summary: libgit2 new security issues fixed upstream in 0.28.5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: Mageia 7   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libgit2-0.28.4-2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-04-09 22:54:37 CEST 
libgit2 0.28.5 has been released on April 1, fixing bugs and minor security issues:
https://github.com/libgit2/libgit2/releases/tag/v0.28.5

Fedora has issued an advisory for this today (April 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HGUWBJBCQ2OYQ6KYKUNRYANFT5MCEIJK/

Mageia 7 is also affected.
David Walser 2020-04-09 22:54:49 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 0.28.5

Comment 1 David GEIGER 2020-04-10 07:03:47 CEST 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 Lewis Smith 2020-04-10 09:34:42 CEST 
Another update done sooner than said!

Assigning to you DavidG as having actually done it. No point in leaving any bug with bugsquad once it has been taken on board.
It will need an advisory before being passed to QA.

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Comment 3 David Walser 2020-04-10 16:42:53 CEST 
Advisory:
========================

The libgit2 package has been updated to version 0.28.5, which fixes some
out-of-bounds reads, as well as several other bugs.  See the release
announcement for details.

References:
https://github.com/libgit2/libgit2/releases/tag/v0.28.5
========================

Updated packages in core/updates_testing:
========================
libgit2_28-0.28.5-1.mga7
libgit2-devel-0.28.5-1.mga7

from libgit2-0.28.5-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 0.28.5 => (none)
CC: (none) => geiger.david68210

Comment 4 Herman Viaene 2020-04-13 15:51:11 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to bug 25348, I ran at CLI:
$ strace -o libgit2.txt basket 
Kdelibs4ConfigMigrator migrate=true
Kdelibs4Migration: start copying basket data
KIO::CopyJob finished with result 111
"The file or folder /home/tester7/.kde/share/apps/basket does not exist."
Of course that didn' exist, there hasn't been a KDE4 on this installation.
Createda new bassket and inserted some text andd a screen capture, Worked OK.
Then
$ grep libgit2 libgit2.txt 
openat(AT_FDCWD, "/lib64/libgit2.so.28", O_RDONLY|O_CLOEXEC) = 3
QED
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-04-13 23:23:40 CEST 
Thank you, Herman. Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-04-15 11:16:55 CEST

Target Milestone: --- => Mageia 7
Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2020-04-15 12:13:35 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2020-0094.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED