CVE-2016-10128 - log back

CVE-2016-10128 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ Each packet line in the Git protocol is prefixed by a four-byte length of how much data will follow, which we parse in `git_pkt_parse_line`. The transmitted length can either be equal to zero in case of a flush packet or has to be at least of length four, as it also includes the encoded length itself. Not checking this may result in a buffer overflow as it directly passes the length to functions which accept a `size_t` length as parameter.
+ The issue is fixed by verifying that non-flush packets have at least a length of `PKT_LEN_SIZE`.
References
+ https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
Notes