Subject: [ASA-201701-21] libgit2: multiple issues Arch Linux Security Advisory ASA-201701-21 ========================================== Severity: High Date : 2017-01-15 CVE-ID : CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 Package : libgit2 Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-131 Summary ======= The package libgit2 before version 1:0.24.6-1 is vulnerable to multiple issues including arbitrary code execution, insufficient validation and denial of service. Resolution ========== Upgrade to 1:0.24.6-1. # pacman -Syu "libgit2>=1:0.24.6-1" The problems have been fixed upstream in version 0.24.6. Workaround ========== None. Description =========== - CVE-2016-10128 (arbitrary code execution) Each packet line in the Git protocol is prefixed by a four-byte length of how much data will follow, which we parse in `git_pkt_parse_line`. The transmitted length can either be equal to zero in case of a flush packet or has to be at least of length four, as it also includes the encoded length itself. Not checking this may result in a buffer overflow as it directly passes the length to functions which accept a `size_t` length as parameter. The issue is fixed by verifying that non-flush packets have at least a length of `PKT_LEN_SIZE`. - CVE-2016-10129 (denial of service) The Git protocol does not specify what should happen in the case of an empty packet line (that is a packet line "0004"). currently it indicates success, but does not return a packet in the case where an empty line is hit. The smart protocol was not prepared to handle such packets in all cases, though, resulting in a `NULL` pointer dereference. The issue is fixed by returning an error instead. - CVE-2016-10130 (insufficient validation) An issue has been discovered when checking certificate validity before clobbering the error variable. A valid parameter is provided to indicate whether the native cryptographic library considered the certificate to be correct. This parameter is always 1/true before the fix leading to a possible man-in-the-middle (MITM). Impact ====== A remote attacker is able to perform a man-in-the-middle attack, crash the application or possibly execute arbitrary code on the affected host. References ========== http://www.openwall.com/lists/oss-security/2017/01/11/6 https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834 https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22 https://security.archlinux.org/CVE-2016-10128 https://security.archlinux.org/CVE-2016-10129 https://security.archlinux.org/CVE-2016-10130