Upstream has released 0.26.2 on March 8: https://github.com/libgit2/libgit2/releases/tag/v0.26.2 0.26.3 is the newest bugfix release. Fedora has issued an advisory for this on March 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MW6M4KWQRHIY75BD2EGM2BA7X4XGLIBU/ It lists the wrong CVEs, but the RedHat bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1554366 In addition, Olav reverted the fixes for security Bug 19553 and Bug 19792 before the Mageia 6 release by switching to 0.25.0, which didn't contain the fixes from 0.24.6. Mageia 6 needs to be upgraded to fix those again.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 0.26.2
Assigning to the registered maintainer, CC'ing a recent committer.
CC: (none) => guillomovitch, marja11Assignee: bugsquad => thierry.vignaud
Fedora advisory from March 30 that lists the wrong CVEs and the right ones: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3XYZBCNDVXULFKTMC5BP3GHL6TKPPJS2/
0.27.1 fixes CVE-2018-11235 (which also affects git itself): https://github.com/libgit2/libgit2/releases/tag/v0.27.1
Status comment: Fixed upstream in 0.26.2 => Fixed upstream in 0.27.1
CVE-2018-11235 also fixed in 0.26.4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JJ2UTQMKUC5NNGLZTBPGXZE5SO6TSRZ7/
Status comment: Fixed upstream in 0.27.1 => Fixed upstream in 0.26.4 and 0.27.1
libgit2-0.27.2-1.mga7 uploaded for Cauldron by Guillaume.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
CVE-2018-10887 and CVE-2018-10888 also fixed in 0.26.5 and 0.27.3: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DI7CXOAS5SSCDPWYHUDJEDPVLTAFS6H/
Whiteboard: (none) => MGA6TOOStatus comment: Fixed upstream in 0.26.4 and 0.27.1 => Fixed upstream in 0.26.5 and 0.27.3Version: 6 => Cauldron
Fedora has issued an advisory today (August 9): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NAFODB7GRTYS4SCIO2GNYOE4NAC7AE3P/ New security issues have been fixed in the last two upstream releases.
Summary: libgit2 new security issues CVE-2018-8098 and CVE-2018-8099 => libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], upstream issue 9406Status comment: Fixed upstream in 0.26.5 and 0.27.3 => Fixed upstream in 0.26.6 and 0.27.4
openSUSE has issued an advisory for this on August 25: https://lists.opensuse.org/opensuse-updates/2018-08/msg00135.html The newest issue was assigned CVE-2018-15501: https://bugzilla.suse.com/show_bug.cgi?id=1104641
Summary: libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], upstream issue 9406 => libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], CVE-2018-15501
Fedora has issued an advisory on October 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXEVWML3VKYFHWWQKWQCLODFETZBMTTC/ It fixes a new issue that also affected git, fixed upstream in 0.26.7 and 0.27.5: https://github.com/libgit2/libgit2/releases/tag/v0.26.7 https://github.com/libgit2/libgit2/releases/tag/v0.27.5
Summary: libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], CVE-2018-15501 => libgit2 new security issues CVE-2018-809[89], CVE-2018-11235, CVE-2018-1088[78], CVE-2018-15501, CVE-2018-17456Status comment: Fixed upstream in 0.26.6 and 0.27.4 => Fixed upstream in 0.26.7 and 0.27.5
cauldron is fixed with libgit2-0.27.5-1.mga7 What do you want that we do for mga6 ? There is no patch for the 0.25 branch we have in it. Should we move to 0.26.7 or 0.27.5 as well ?
CC: (none) => brunoAssignee: thierry.vignaud => brunoVersion: Cauldron => 6Status: NEW => ASSIGNED
Yeah we should move to the 0.26 branch.
libgit2-0.26.7-1.mga6 pushed to mga6 updates.
Assignee: bruno => qa-bugsWhiteboard: MGA6TOO => (none)
Advisory: ======================== Updated libgit2 packages fix security vulnerabilities: Read out-of-bounds in git_oid_nfmt (CVE-2016-8568). DoS using a null pointer dereference in git_commit_message (CVE-2016-8569). Insufficient sanitization allows some edge cases in the Git Smart Protocol which can lead to reading outside of a buffer (CVE-2016-10128, CVE-2016-10129). Several flaws were found in libgit2 before version 0.26.2. There are memory handling issues when reading crafted repository index files. The issues allow for possible denial of service due to allocation of large memory and out-of-bound reads. As the index is never transferred via the network, exploitation requires an attacker to have access to the local repository (CVE-2018-8098, CVE-2018-8099). It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service (CVE-2018-10887). A missing check in git_delta_apply function in delta.c file may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service (CVE-2018-10888). A flaw was found in libgit2 which allows arbitrary file write when recursively cloning a malicious repository. libgit2 can be tricked into writing files outside the .git/modules directory (CVE-2018-11235). When parsing an "ng" packet, libgit2 keeps track of both the current position as well as the remaining length of the packet itself. But instead of taking care not to exceed the length, libgit2 passs the current pointer's position to strchr, which will search for a certain character until hitting NUL. It is thus possible to create a crafted packet which doesn't contain a NUL byte to trigger an out-of-bounds read (CVE-2018-15501). An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine (CVE-2018-17456). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8568 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8569 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10128 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8098 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8099 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10888 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11235 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15501 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17456 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4E77DG5KGQ7L34U75QY7O6NIPKZNQHQJ/ https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3XYZBCNDVXULFKTMC5BP3GHL6TKPPJS2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JJ2UTQMKUC5NNGLZTBPGXZE5SO6TSRZ7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2DI7CXOAS5SSCDPWYHUDJEDPVLTAFS6H/ https://lists.opensuse.org/opensuse-updates/2018-08/msg00135.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PKRWJ6IUL2V32F67UNPFRHEF5LEVL2IZ/ ======================== Updated packages in core/updates_testing: ======================== libgit2_26-0.26.7-1.mga6 libgit2-devel-0.26.7-1.mga6 from libgit2-0.26.7-1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Ref to bug 19792 Comment 11: # urpmq --whatrequires libgit2_26 libgit2-devel libgit2_26 No subsurface as in bug 19792 Installed and run subsurface anyway. Trace confirms call to /lib/libgit2.so.25 which is not the same file as /lib/libgit2.so.26. So clean install OK as I cannot find any use for 26 (yet)?
CC: (none) => herman.viaene
Keywords: (none) => feedback
Packages built against this library need to be rebuilt.
0.26.8 has fixed more security issues (0.27.7 is the latest in that branch): https://github.com/libgit2/libgit2/releases/tag/v0.26.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RWUYSQIRNA7BF3QIFK765ETPFQ6URXAE/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DBQO5VQXC473UELXGERG2PBTSBRB3N7A/ So, along with the needed rebuilds, this should be updated again.
Keywords: feedback => (none)CC: (none) => qa-bugsAssignee: qa-bugs => bruno
$ urpmq --whatrequires lib64git2_27 basket calligra-gemini fritzing geany-plugins-git-changebar lib64basketcommon5 lib64git2-devel lib64git2-glib1.0_0 lib64git2_27 lib64kf5texteditor5 python2-pygit2 python3-pygit2 subsurface As we're doing IT here, couldn't the build system take that list and force a regeneration of packages as well, when the submitted package build was successful ? That would avoid manual mistakes such as the one I did here and improve quality no ?
libgit2-0.27.7-1.mga7 uploaded to cauldron
Mageia 6 is EOL.
Resolution: (none) => OLDCC: (none) => mramboStatus: ASSIGNED => RESOLVED