Debian Bug report logs -
#851406
libgit2: CVE-2016-10128 CVE-2016-10129 CVE-2016-10130
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 14 Jan 2017 15:54:05 UTC
Severity: important
Tags: confirmed, jessie, patch, security, upstream
Found in version libgit2/0.24.5-1
Fixed in versions libgit2/0.25.1-1, libgit2/0.25.1+really0.24.6-1
Done: Russell Sim <russell.sim@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#851406; Package src:libgit2.
(Sat, 14 Jan 2017 15:54:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Russell Sim <russell.sim@gmail.com>.
(Sat, 14 Jan 2017 15:54:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgit2
Version: 0.24.5-1
Severity: important
Tags: upstream patch security
Hi,
the following vulnerabilities were published for libgit2.
CVE-2016-10128[0]:
smart_pkt: verify packet length exceeds PKT_LEN_SIZE
CVE-2016-10129[1]:
smart_pkt: treat empty packet lines as error
CVE-2016-10130[2]:
http: check certificate validity before clobbering the error variable
CVE-2017-5338[3]:
http: perform 'badssl' check also via certificate callback
CVE-2017-5339[4]:
http: correct the expected error for RC4
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10128
[1] https://security-tracker.debian.org/tracker/CVE-2016-10129
[2] https://security-tracker.debian.org/tracker/CVE-2016-10130
[3] https://security-tracker.debian.org/tracker/CVE-2017-5338
[4] https://security-tracker.debian.org/tracker/CVE-2017-5339
[5] https://github.com/libgit2/libgit2/releases/tag/v0.25.1
[6] https://github.com/libgit2/libgit2/releases/tag/v0.24.6
Please adjust the affected versions in the BTS as needed. I only
looked so far at the source of libgit2 in unstable, jessie was not
checked.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#851406; Package src:libgit2.
(Tue, 11 Apr 2017 18:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>.
(Tue, 11 Apr 2017 18:51:03 GMT) (full text, mbox, link).
Message #10 received at 851406@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 libgit2: CVE-2016-10128 CVE-2016-10129 CVE-2016-10130
On Sat, Jan 14, 2017 at 04:52:21PM +0100, Salvatore Bonaccorso wrote:
> Source: libgit2
> Version: 0.24.5-1
> Severity: important
> Tags: upstream patch security
>
> Hi,
>
> the following vulnerabilities were published for libgit2.
>
> CVE-2016-10128[0]:
> smart_pkt: verify packet length exceeds PKT_LEN_SIZE
>
> CVE-2016-10129[1]:
> smart_pkt: treat empty packet lines as error
>
> CVE-2016-10130[2]:
> http: check certificate validity before clobbering the error variable
Please note that CVE-2017-5338 and CVE-2017-5339 have been rejected. So ignore
those. It was shown with further investigation that those are not security
issues.
Regards,
Salvatore
Changed Bug title to 'libgit2: CVE-2016-10128 CVE-2016-10129 CVE-2016-10130' from 'libgit2: CVE-2016-10128 CVE-2016-10129 CVE-2016-10130 CVE-2017-5338 CVE-2017-5339'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 851406-submit@bugs.debian.org.
(Tue, 11 Apr 2017 18:51:03 GMT) (full text, mbox, link).
Bug 851406 cloned as bug 860990
Request was from Ximin Luo <infinity0@debian.org>
to control@bugs.debian.org.
(Sun, 23 Apr 2017 09:48:06 GMT) (full text, mbox, link).
Added tag(s) confirmed and jessie.
Request was from Russell Sim <russell.sim@gmail.com>
to control@bugs.debian.org.
(Fri, 28 Apr 2017 18:18:03 GMT) (full text, mbox, link).
Reply sent
to Russell Sim <russell.sim@gmail.com>:
You have taken responsibility.
(Tue, 02 May 2017 07:03:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 02 May 2017 07:03:10 GMT) (full text, mbox, link).
Message #21 received at 851406-close@bugs.debian.org (full text, mbox, reply):
Source: libgit2
Source-Version: 0.25.1-1
We believe that the bug you reported is fixed in the latest version of
libgit2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Sim <russell.sim@gmail.com> (supplier of updated libgit2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 25 Apr 2017 07:29:37 +0200
Source: libgit2
Binary: libgit2-dev libgit2-25
Architecture: source amd64
Version: 0.25.1-1
Distribution: experimental
Urgency: medium
Maintainer: Russell Sim <russell.sim@gmail.com>
Changed-By: Russell Sim <russell.sim@gmail.com>
Description:
libgit2-25 - low-level Git library
libgit2-dev - low-level Git library (development files)
Closes: 851406 857068
Changes:
libgit2 (0.25.1-1) experimental; urgency=medium
.
* New upstream release. (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130)
(Closes: #851406, #857068)
Checksums-Sha1:
504b31ee99ae69d138bb1bbca9298001b13d8fa5 2049 libgit2_0.25.1-1.dsc
c65238d0e0a698b202a3a886d003228cac6dacc3 4252130 libgit2_0.25.1.orig.tar.gz
9de10f49775de1cb7baa13697c0d8f063d2694b7 13628 libgit2_0.25.1-1.debian.tar.xz
9fd544f839426c138b947fa78d9c58bc766f260f 1577934 libgit2-25-dbgsym_0.25.1-1_amd64.deb
2337dbcfb13a9d7a6f13dbc371b76964e1f7a241 394910 libgit2-25_0.25.1-1_amd64.deb
c504cfce38f041f45d1f15f9c04d08c90fdafc36 679224 libgit2-dev_0.25.1-1_amd64.deb
e827b095b9eb17f386ac8d377e10ce08c20e1d72 7614 libgit2_0.25.1-1_amd64.buildinfo
Checksums-Sha256:
6af7a5d1ea5bb4d3abb1c18c28313881b0db0c86761e1d30bafe95168f465b3a 2049 libgit2_0.25.1-1.dsc
7ae8e699ff7ff9a1fa702249140ee31ea6fd556bf7968e84e38165870667bcb1 4252130 libgit2_0.25.1.orig.tar.gz
68960597653b4a3f9d77f23d3d119ea66810a8f4007ee37ae1cccf023c684037 13628 libgit2_0.25.1-1.debian.tar.xz
37b3637234cb192e909894f0bdfad12d105460e52909efab1c57c105a502896a 1577934 libgit2-25-dbgsym_0.25.1-1_amd64.deb
cbac357a3c10f778ed23dfbae02ebd88b1399c94ccda2441074cfd377006e0f0 394910 libgit2-25_0.25.1-1_amd64.deb
c936115a594f80c967eba923f44e5a9dfb5fe7d1239f2a09fb866db9fe1f5b53 679224 libgit2-dev_0.25.1-1_amd64.deb
143fc6058f0b69c8be92481f8ece8a73ad74eaaa648650715300743107a7b2b2 7614 libgit2_0.25.1-1_amd64.buildinfo
Files:
d3b56edf5240a2d0ce00c15661e7ecb9 2049 libs extra libgit2_0.25.1-1.dsc
3b285ce94200f00c34962711f001b192 4252130 libs extra libgit2_0.25.1.orig.tar.gz
3f660f2a617ba819c4754f3dce8f206f 13628 libs extra libgit2_0.25.1-1.debian.tar.xz
e8e7cc54151554ea05f6f16ec5f2085f 1577934 debug extra libgit2-25-dbgsym_0.25.1-1_amd64.deb
5fb5ca0a4fa74d1410b687578ca36f14 394910 libs extra libgit2-25_0.25.1-1_amd64.deb
67b7aecc64b4d3d222a897c1ecd7db32 679224 libdevel extra libgit2-dev_0.25.1-1_amd64.deb
15d3bf83fea42ab2e179e9fe735ceb24 7614 libs extra libgit2_0.25.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEENmdIajJtsnZtJVVGhg3vO49lC3kFAlkHjHoVHGluZmluaXR5
MEBkZWJpYW4ub3JnAAoJEIYN7zuPZQt5ydEP/1zmGdlIDmC4yQfW2DJkOJOnRu3m
W3ae/GWQlVWN4diTrB1ghPPYAvQh4GKZRZPyT+i8tBfKIZqgNAMJLNF5aez05pBO
eDLYKmn/ELTAQ5BPAX20ksM9a3Dbj/VTLtAybKfZjpmiiClna+3a/x3l+yaW1eeJ
vusHbMF3wiE8oMqHmssAfEGW8hjT55KIXDc62bNnUxoT99gM2jEFW5BjFj1B4qDT
QbfuBhgrvs7tblx/45UCNk9pNiw+eShaqTFqCaM0Z+90wlgbdXzKk8idVfF2NjxC
s1QHhlqKdr5hhDQwwH0MyVjpYUzvVpFt9iTcq7vvsZujckix8VejTAS73f3LDRpu
TrLkNAZjPVTl49vnrQHvVhlKmZAHtFuC9wSw2uO5n1TGxd7Cl3y8oTpPo1FtVduF
gYx+WhT2iz6l3PmyfvUyAc7x0tXutbseTiJhUbq4JsF8vkspr+cSCaMFILVax/CH
iUvWU1k/lQtP4W8tUh4kDzwm/0RlljIpualomjyE2vIhR8ykXZcsKcQazsty/ZzO
/uRsFLP2ohvcR/5z3sAMZE97ga3viUAdfW0hPTzVNSb3TYOYszLwRC6eNkse4ow/
LwzuVlumZzFgp7fuwqfqMboBSq9dKlE1aqEvcYU8OzSIr0waANm+o12WcGxlAl3V
wp+OAP9qUqSK5Af6
=q8MK
-----END PGP SIGNATURE-----
Reply sent
to Russell Sim <russell.sim@gmail.com>:
You have taken responsibility.
(Sun, 21 May 2017 16:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 21 May 2017 16:36:03 GMT) (full text, mbox, link).
Message #26 received at 851406-close@bugs.debian.org (full text, mbox, reply):
Source: libgit2
Source-Version: 0.25.1+really0.24.6-1
We believe that the bug you reported is fixed in the latest version of
libgit2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851406@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russell Sim <russell.sim@gmail.com> (supplier of updated libgit2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 21 May 2017 18:18:47 +0200
Source: libgit2
Binary: libgit2-dev libgit2-24
Architecture: source amd64
Version: 0.25.1+really0.24.6-1
Distribution: unstable
Urgency: medium
Maintainer: Russell Sim <russell.sim@gmail.com>
Changed-By: Russell Sim <russell.sim@gmail.com>
Description:
libgit2-24 - low-level Git library
libgit2-dev - low-level Git library (development files)
Closes: 851406
Changes:
libgit2 (0.25.1+really0.24.6-1) unstable; urgency=medium
.
* Revert 0.25.1 in unstable, 0.24.5 was already in unstable 0.25.1 was
uploaded after the freeze.
* Release 0.24.6 (CVE-2016-10128, CVE-2016-10129, CVE-2016-10130)
(Closes: #851406)
Checksums-Sha1:
ee051794455d9da39cb2e6ad6d8bca93ae77276d 2111 libgit2_0.25.1+really0.24.6-1.dsc
259d7ccdf716b273f239810bdd567195c3e02d0d 4178476 libgit2_0.25.1+really0.24.6.orig.tar.gz
6e630ba524cd6835bb7783f954729acb19de7d89 13704 libgit2_0.25.1+really0.24.6-1.debian.tar.xz
609d253ce4ebd0c85644ff5b9bd6aeb9a5a1323e 1493864 libgit2-24-dbgsym_0.25.1+really0.24.6-1_amd64.deb
e46f6c3b6d99c95aaefceaf9965fad622e948e2b 375520 libgit2-24_0.25.1+really0.24.6-1_amd64.deb
cd9e37c961123eadc0a85228817a99f845ffc4bb 650330 libgit2-dev_0.25.1+really0.24.6-1_amd64.deb
f8791014d444012911634be119ca7f3fd7d1a77d 7920 libgit2_0.25.1+really0.24.6-1_amd64.buildinfo
Checksums-Sha256:
85d18cdeebb960b9d14d325dbd873b74872a590caa2ff377bad21020f3acd77c 2111 libgit2_0.25.1+really0.24.6-1.dsc
7b441a96967ff525e790f8b66859faba5c6be4c347124011f536ae9075ebc30c 4178476 libgit2_0.25.1+really0.24.6.orig.tar.gz
176b2b7c5cd411614473d9ad8acb617db55f08b3247b0c1d39dd0381b16e096f 13704 libgit2_0.25.1+really0.24.6-1.debian.tar.xz
493f7c989bc55bc70c5f819ad7fca87522696122c03e24b105de471c78ec7b91 1493864 libgit2-24-dbgsym_0.25.1+really0.24.6-1_amd64.deb
97f6946ab8bef6678ebd073824024f8cea605e8d63d2e5860ec05c45cfebfe6f 375520 libgit2-24_0.25.1+really0.24.6-1_amd64.deb
1afc9a51865be8cf960aaba0e48ef1fd95386c5432b2b79525c8123e69e2bf15 650330 libgit2-dev_0.25.1+really0.24.6-1_amd64.deb
b8405b065dfa0974cce48db28e40964d1190f49344aaccc9386538be18ebc5da 7920 libgit2_0.25.1+really0.24.6-1_amd64.buildinfo
Files:
f5ad5ce0df3cf5ac7a4729139cba432e 2111 libs extra libgit2_0.25.1+really0.24.6-1.dsc
cbdf07ec58f63fd01a48d1a6f7b9c37d 4178476 libs extra libgit2_0.25.1+really0.24.6.orig.tar.gz
3576bfe8abd53d6ef5003651838a98be 13704 libs extra libgit2_0.25.1+really0.24.6-1.debian.tar.xz
d63d78072eec337794493bc6bc1dd70e 1493864 debug extra libgit2-24-dbgsym_0.25.1+really0.24.6-1_amd64.deb
d710ffc8d0fb03df2a0d6cfc683a7b24 375520 libs extra libgit2-24_0.25.1+really0.24.6-1_amd64.deb
4f133e702c198aee1e343a4d3d49784c 650330 libdevel extra libgit2-dev_0.25.1+really0.24.6-1_amd64.deb
5fc2c43185e32ee7d1d240e16bbdef24 7920 libs extra libgit2_0.25.1+really0.24.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEqR4jDDCme6EynCdoIrEJKt3cR90FAlkhvmgACgkQIrEJKt3c
R93L/A//RSFv8AfuxQFTArc6xuk2TaUGyXxSbvAU7vYmJA3agacCXisdioxUYHac
5qlqP19gxx0VPAW7iBTDUc44zMxEIhmpNrS8GO1sKYJE+aKFGJZHdCJlR03YimCD
ZmE9Z44MWyvXCdtzhlgvLzt8WH4WfUJVDl0OfgEBDNaqXA5tMCfBV6QDG7xMiWWM
SyCYGmF5rG7gwLdYHtKNK1MaKEKZoaAHo0IaY3GZt2IhI1zo3ssZ+gcCA+05dtRc
/Dnud1D7D52qZXKtbG6Mh+jDDUFOZxsovilHIQMaW0hmVxMCiu2NAD4yR3lgg/9w
nSSomVZznqxJ4KcD4TnRcMDaTEN7mLjOrAOiH64OsGq1KRcsxbDkDqLLInk33rNs
kAC0lj4S7VJrevOP1amjoescbGhxMmlOvsWoGK2MjqZssDZcpbsX4Otmf4KoFlkJ
UcOn4e4RACa8mTJ6VZyrU52tG4xzoNYtj98StXaBP8L0uq787nB3aenCSG/blt6J
MfihKjjrFCfIaKl6HyBbEuUUl62EZ+yuDhYKlJs1RZUCVKDOW7WLTeVlVN1Enr+2
xSaD1Z22P3uL09xz1vz56Yj+XtKPMtu1o4aHrUVG9AF9R1ws2OFWKGxf++nt5ZR2
dIBIhldTlkEykfPk79SCuTO8U6SQzSKHoAXIDz4jeO0eMIUntBw=
=iCKR
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:27:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:36:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon