Bug 22813 - libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], CVE-2018-15501, CVE-2018-17456
Summary: libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[7...
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: Bruno Cornec
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-21 19:37 CET by David Walser
Modified: 2018-11-10 15:13 CET (History)
5 users (show)

See Also:
Source RPM: libgit2-0.26.0-2.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 0.26.7 and 0.27.5


Attachments

Description David Walser 2018-03-21 19:37:11 CET
Upstream has released 0.26.2 on March 8:
https://github.com/libgit2/libgit2/releases/tag/v0.26.2

0.26.3 is the newest bugfix release.

Fedora has issued an advisory for this on March 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MW6M4KWQRHIY75BD2EGM2BA7X4XGLIBU/

It lists the wrong CVEs, but the RedHat bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1554366

In addition, Olav reverted the fixes for security Bug 19553 and Bug 19792 before the Mageia 6 release by switching to 0.25.0, which didn't contain the fixes from 0.24.6.  Mageia 6 needs to be upgraded to fix those again.
David Walser 2018-03-21 19:37:33 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 0.26.2

Comment 1 Marja Van Waes 2018-03-22 17:29:43 CET
Assigning to the registered maintainer, CC'ing a recent committer.

Assignee: bugsquad => thierry.vignaud
CC: (none) => guillomovitch, marja11

Comment 2 David Walser 2018-03-31 22:43:00 CEST
Fedora advisory from March 30 that lists the wrong CVEs and the right ones:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3XYZBCNDVXULFKTMC5BP3GHL6TKPPJS2/
Comment 3 David Walser 2018-05-29 22:11:12 CEST
0.27.1 fixes CVE-2018-11235 (which also affects git itself):
https://github.com/libgit2/libgit2/releases/tag/v0.27.1

Status comment: Fixed upstream in 0.26.2 => Fixed upstream in 0.27.1

Comment 4 David Walser 2018-07-05 21:23:56 CEST
CVE-2018-11235 also fixed in 0.26.4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JJ2UTQMKUC5NNGLZTBPGXZE5SO6TSRZ7/

Status comment: Fixed upstream in 0.27.1 => Fixed upstream in 0.26.4 and 0.27.1

Comment 5 David Walser 2018-07-05 23:01:09 CEST
libgit2-0.27.2-1.mga7 uploaded for Cauldron by Guillaume.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 6 David Walser 2018-07-20 18:54:06 CEST
CVE-2018-10887 and CVE-2018-10888  also fixed in 0.26.5 and 0.27.3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DI7CXOAS5SSCDPWYHUDJEDPVLTAFS6H/

Version: 6 => Cauldron
Status comment: Fixed upstream in 0.26.4 and 0.27.1 => Fixed upstream in 0.26.5 and 0.27.3
Whiteboard: (none) => MGA6TOO

Comment 7 David Walser 2018-08-09 20:02:43 CEST
Fedora has issued an advisory today (August 9):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NAFODB7GRTYS4SCIO2GNYOE4NAC7AE3P/

New security issues have been fixed in the last two upstream releases.

Status comment: Fixed upstream in 0.26.5 and 0.27.3 => Fixed upstream in 0.26.6 and 0.27.4
Summary: libgit2 new security issues CVE-2018-8098 and CVE-2018-8099 => libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], upstream issue 9406

Comment 8 David Walser 2018-08-28 22:47:46 CEST
openSUSE has issued an advisory for this on August 25:
https://lists.opensuse.org/opensuse-updates/2018-08/msg00135.html

The newest issue was assigned CVE-2018-15501:
https://bugzilla.suse.com/show_bug.cgi?id=1104641

Summary: libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], upstream issue 9406 => libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], CVE-2018-15501

Comment 9 David Walser 2018-10-16 00:30:02 CEST
Fedora has issued an advisory on October 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXEVWML3VKYFHWWQKWQCLODFETZBMTTC/

It fixes a new issue that also affected git, fixed upstream in 0.26.7 and 0.27.5:
https://github.com/libgit2/libgit2/releases/tag/v0.26.7
https://github.com/libgit2/libgit2/releases/tag/v0.27.5

Summary: libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], CVE-2018-15501 => libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], CVE-2018-15501, CVE-2018-17456
Status comment: Fixed upstream in 0.26.6 and 0.27.4 => Fixed upstream in 0.26.7 and 0.27.5

Comment 10 Bruno Cornec 2018-10-26 03:01:32 CEST
cauldron is fixed with libgit2-0.27.5-1.mga7

What do you want that we do for mga6 ? There is no patch for the 0.25 branch we have in it. Should we move to 0.26.7 or 0.27.5 as well ?

Assignee: thierry.vignaud => bruno
CC: (none) => bruno
Status: NEW => ASSIGNED
Version: Cauldron => 6

Comment 11 David Walser 2018-10-26 03:06:13 CEST
Yeah we should move to the 0.26 branch.
Comment 12 Bruno Cornec 2018-10-27 02:14:54 CEST
libgit2-0.26.7-1.mga6 pushed to mga6 updates.

Assignee: bruno => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 13 David Walser 2018-10-27 02:28:22 CEST
Advisory:
========================

Updated libgit2 packages fix security vulnerabilities:

Read out-of-bounds in git_oid_nfmt (CVE-2016-8568).

DoS using a null pointer dereference in git_commit_message (CVE-2016-8569).

Insufficient sanitization allows some edge cases in the Git Smart Protocol
which can lead to reading outside of a buffer (CVE-2016-10128, CVE-2016-10129).

Several flaws were found in libgit2 before version 0.26.2. There are memory
handling issues when reading crafted repository index files. The issues allow
for possible denial of service due to allocation of large memory and
out-of-bound reads. As the index is never transferred via the network,
exploitation requires an attacker to have access to the local repository
(CVE-2018-8098, CVE-2018-8099).

It has been discovered that an unexpected sign extension in git_delta_apply
function in delta.c file may lead to an integer overflow which in turn leads
to an out of bound read, allowing to read before the base object. An attacker
may use this flaw to leak memory addresses or cause a Denial of Service
(CVE-2018-10887).

A missing check in git_delta_apply function in delta.c file may lead to an
out-of-bound read while reading a binary delta file. An attacker may use this
flaw to cause a Denial of Service (CVE-2018-10888).

A flaw was found in libgit2 which allows arbitrary file write when recursively
cloning a malicious repository. libgit2 can be tricked into writing files
outside the .git/modules directory (CVE-2018-11235).

When parsing an "ng" packet, libgit2 keeps track of both the current position
as well as the remaining length of the packet itself. But instead of taking
care not to exceed the length, libgit2 passs the current pointer's position to
strchr, which will search for a certain character until hitting NUL. It is
thus possible to create a crafted packet which doesn't contain a NUL byte to
trigger an out-of-bounds read (CVE-2018-15501).

An option injection flaw has been discovered in git when it recursively clones
a repository with sub-modules. A remote attacker may configure a malicious
repository and trick a user into recursively cloning it, thus executing
arbitrary commands on the victim's machine (CVE-2018-17456).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8568
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17456
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4E77DG5KGQ7L34U75QY7O6NIPKZNQHQJ/
https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3XYZBCNDVXULFKTMC5BP3GHL6TKPPJS2/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JJ2UTQMKUC5NNGLZTBPGXZE5SO6TSRZ7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DI7CXOAS5SSCDPWYHUDJEDPVLTAFS6H/
https://lists.opensuse.org/opensuse-updates/2018-08/msg00135.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PKRWJ6IUL2V32F67UNPFRHEF5LEVL2IZ/
========================

Updated packages in core/updates_testing:
========================
libgit2_26-0.26.7-1.mga6
libgit2-devel-0.26.7-1.mga6

from libgit2-0.26.7-1.mga6.src.rpm
Comment 14 Herman Viaene 2018-10-31 12:10:03 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 19792 Comment 11:
# urpmq --whatrequires libgit2_26
libgit2-devel
libgit2_26
No subsurface as in bug 19792
Installed and run subsurface anyway. Trace confirms call to /lib/libgit2.so.25 which is not the same file as /lib/libgit2.so.26.

So clean install OK as I cannot find any use for 26 (yet)?

CC: (none) => herman.viaene

David Walser 2018-10-31 12:12:15 CET

Keywords: (none) => feedback

Comment 15 David Walser 2018-10-31 12:13:25 CET
Packages built against this library need to be rebuilt.
Comment 16 David Walser 2018-11-09 18:30:27 CET
0.26.8 has fixed more security issues (0.27.7 is the latest in that branch):
https://github.com/libgit2/libgit2/releases/tag/v0.26.8
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RWUYSQIRNA7BF3QIFK765ETPFQ6URXAE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBQO5VQXC473UELXGERG2PBTSBRB3N7A/

So, along with the needed rebuilds, this should be updated again.

Assignee: qa-bugs => bruno
CC: (none) => qa-bugs
Keywords: feedback => (none)

Comment 17 Bruno Cornec 2018-11-10 15:13:02 CET
$ urpmq --whatrequires lib64git2_27
basket
calligra-gemini
fritzing
geany-plugins-git-changebar
lib64basketcommon5
lib64git2-devel
lib64git2-glib1.0_0
lib64git2_27
lib64kf5texteditor5
python2-pygit2
python3-pygit2
subsurface

As we're doing IT here, couldn't the build system take that list and force a regeneration of packages as well, when the submitted package build was successful ? That would avoid manual mistakes such as the one I did here and improve quality no ?
Comment 18 Bruno Cornec 2018-11-10 15:13:23 CET
libgit2-0.27.7-1.mga7 uploaded to cauldron

Note You need to log in before you can comment on or make changes to this bug.