Upstream has released 0.26.2 on March 8:
0.26.3 is the newest bugfix release.
Fedora has issued an advisory for this on March 20:
It lists the wrong CVEs, but the RedHat bug is here:
In addition, Olav reverted the fixes for security Bug 19553 and Bug 19792 before the Mageia 6 release by switching to 0.25.0, which didn't contain the fixes from 0.24.6. Mageia 6 needs to be upgraded to fix those again.
Fixed upstream in 0.26.2
Assigning to the registered maintainer, CC'ing a recent committer.
Fedora advisory from March 30 that lists the wrong CVEs and the right ones:
0.27.1 fixes CVE-2018-11235 (which also affects git itself):
Fixed upstream in 0.26.2 =>
Fixed upstream in 0.27.1
CVE-2018-11235 also fixed in 0.26.4:
Fixed upstream in 0.27.1 =>
Fixed upstream in 0.26.4 and 0.27.1
libgit2-0.27.2-1.mga7 uploaded for Cauldron by Guillaume.
CVE-2018-10887 and CVE-2018-10888 also fixed in 0.26.5 and 0.27.3:
Fixed upstream in 0.26.4 and 0.27.1 =>
Fixed upstream in 0.26.5 and 0.27.3Whiteboard:
Fedora has issued an advisory today (August 9):
New security issues have been fixed in the last two upstream releases.
Fixed upstream in 0.26.5 and 0.27.3 =>
Fixed upstream in 0.26.6 and 0.27.4Summary:
libgit2 new security issues CVE-2018-8098 and CVE-2018-8099 =>
libgit2 new security issues CVE-2018-809, CVE-2018-11235, CVE-2018-1088, upstream issue 9406
openSUSE has issued an advisory for this on August 25:
The newest issue was assigned CVE-2018-15501:
libgit2 new security issues CVE-2018-809, CVE-2018-11235, CVE-2018-1088, upstream issue 9406 =>
libgit2 new security issues CVE-2018-809, CVE-2018-11235, CVE-2018-1088, CVE-2018-15501
Fedora has issued an advisory on October 9:
It fixes a new issue that also affected git, fixed upstream in 0.26.7 and 0.27.5:
libgit2 new security issues CVE-2018-809, CVE-2018-11235, CVE-2018-1088, CVE-2018-15501 =>
libgit2 new security issues CVE-2018-809, CVE-2018-11235, CVE-2018-1088, CVE-2018-15501, CVE-2018-17456Status comment:
Fixed upstream in 0.26.6 and 0.27.4 =>
Fixed upstream in 0.26.7 and 0.27.5
cauldron is fixed with libgit2-0.27.5-1.mga7
What do you want that we do for mga6 ? There is no patch for the 0.25 branch we have in it. Should we move to 0.26.7 or 0.27.5 as well ?
Yeah we should move to the 0.26 branch.
libgit2-0.26.7-1.mga6 pushed to mga6 updates.
Updated libgit2 packages fix security vulnerabilities:
Read out-of-bounds in git_oid_nfmt (CVE-2016-8568).
DoS using a null pointer dereference in git_commit_message (CVE-2016-8569).
Insufficient sanitization allows some edge cases in the Git Smart Protocol
which can lead to reading outside of a buffer (CVE-2016-10128, CVE-2016-10129).
Several flaws were found in libgit2 before version 0.26.2. There are memory
handling issues when reading crafted repository index files. The issues allow
for possible denial of service due to allocation of large memory and
out-of-bound reads. As the index is never transferred via the network,
exploitation requires an attacker to have access to the local repository
It has been discovered that an unexpected sign extension in git_delta_apply
function in delta.c file may lead to an integer overflow which in turn leads
to an out of bound read, allowing to read before the base object. An attacker
may use this flaw to leak memory addresses or cause a Denial of Service
A missing check in git_delta_apply function in delta.c file may lead to an
out-of-bound read while reading a binary delta file. An attacker may use this
flaw to cause a Denial of Service (CVE-2018-10888).
A flaw was found in libgit2 which allows arbitrary file write when recursively
cloning a malicious repository. libgit2 can be tricked into writing files
outside the .git/modules directory (CVE-2018-11235).
When parsing an "ng" packet, libgit2 keeps track of both the current position
as well as the remaining length of the packet itself. But instead of taking
care not to exceed the length, libgit2 passs the current pointer's position to
strchr, which will search for a certain character until hitting NUL. It is
thus possible to create a crafted packet which doesn't contain a NUL byte to
trigger an out-of-bounds read (CVE-2018-15501).
An option injection flaw has been discovered in git when it recursively clones
a repository with sub-modules. A remote attacker may configure a malicious
repository and trick a user into recursively cloning it, thus executing
arbitrary commands on the victim's machine (CVE-2018-17456).
Updated packages in core/updates_testing:
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref to bug 19792 Comment 11:
# urpmq --whatrequires libgit2_26
No subsurface as in bug 19792
Installed and run subsurface anyway. Trace confirms call to /lib/libgit2.so.25 which is not the same file as /lib/libgit2.so.26.
So clean install OK as I cannot find any use for 26 (yet)?
Packages built against this library need to be rebuilt.
0.26.8 has fixed more security issues (0.27.7 is the latest in that branch):
So, along with the needed rebuilds, this should be updated again.
$ urpmq --whatrequires lib64git2_27
As we're doing IT here, couldn't the build system take that list and force a regeneration of packages as well, when the submitted package build was successful ? That would avoid manual mistakes such as the one I did here and improve quality no ?
libgit2-0.27.7-1.mga7 uploaded to cauldron