libgit2: CVE-2024-24575: Denial of service attack in `git_revparse_single`

Debian Bug report logs - #1063415
libgit2: CVE-2024-24575: Denial of service attack in `git_revparse_single`

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libgit2: CVE-2024-24575: Denial of service attack in `git_revparse_single`

Date: Wed, 07 Feb 2024 22:23:44 +0100

Source: libgit2
Version: 1.7.1+ds-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.5.1+ds-1

Hi,

The following vulnerability was published for libgit2.

CVE-2024-24575[0]:
| libgit2 is a portable C implementation of the Git core methods
| provided as a linkable library with a solid API, allowing to build
| Git functionality into your application. Using well-crafted inputs
| to `git_revparse_single` can cause the function to enter an infinite
| loop, potentially causing a Denial of Service attack in the calling
| application. The revparse function in `src/libgit2/revparse.c` uses
| a loop to parse the user-provided spec string. There is an edge-case
| during parsing that allows a bad actor to force the loop conditions
| to access arbitrary memory. Potentially, this could also leak memory
| if the extracted rev spec is reflected back to the attacker. As
| such, libgit2 versions before 1.4.0 are not affected. Users should
| upgrade to version 1.6.5 or 1.7.2.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-24575
    https://www.cve.org/CVERecord?id=CVE-2024-24575
[1] https://github.com/libgit2/libgit2/security/advisories/GHSA-54mf-x2rh-hq9v
[2] https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf
[3] https://github.com/libgit2/libgit2/commit/7f6f3dff9c41f3be7598693aa3c716c8354fba7f

Regards,
Salvatore

Message #12 received at 1063415-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1063415-close@bugs.debian.org

Subject: Bug#1063415: fixed in libgit2 1.7.2+ds-1

Date: Thu, 08 Feb 2024 08:35:57 +0000

Source: libgit2
Source-Version: 1.7.2+ds-1
Done: Timo Röhling <roehling@debian.org>

We believe that the bug you reported is fixed in the latest version of
libgit2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1063415@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Röhling <roehling@debian.org> (supplier of updated libgit2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Feb 2024 09:10:45 +0100
Source: libgit2
Architecture: source
Version: 1.7.2+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Utkarsh Gupta <utkarsh@debian.org>
Changed-By: Timo Röhling <roehling@debian.org>
Closes: 1063415 1063416
Changes:
 libgit2 (1.7.2+ds-1) unstable; urgency=medium
 .
   * New upstream version 1.7.2+ds
     - Fix CVE-2024-24575: Denial of service in git_revparse_single
       (Closes: #1063415)
     - Fix CVE-2024-24577: Use-after-free in git_index_add
       (Closes: #1063416)
   * Build-depend on pkgconf instead of pkg-config
Checksums-Sha1:
 d531f7e28c26d5d24e13dff75c098d25fd106be3 2259 libgit2_1.7.2+ds-1.dsc
 9328b17923ad703815b23568f9be9b050a50fb74 4245244 libgit2_1.7.2+ds.orig.tar.xz
 128505db2797d7e261898d8b65230897aff3da6f 18032 libgit2_1.7.2+ds-1.debian.tar.xz
Checksums-Sha256:
 fad7efd04bdc2f9ea93fb117f1a3c14e2cf882c0748994993bc424af89cf4375 2259 libgit2_1.7.2+ds-1.dsc
 fe3e524576e624141f9bf00183c25421aa6d8fb3e90a1793a5f4e9a5360f53af 4245244 libgit2_1.7.2+ds.orig.tar.xz
 fda27230513e4182496e1c374284d260425c7cf044c883f373320eb0e89f9885 18032 libgit2_1.7.2+ds-1.debian.tar.xz
Files:
 68868beeefcd70cce7b7fd9689c9b376 2259 libs optional libgit2_1.7.2+ds-1.dsc
 b86cab767fba4c594e0d68cad0e40ebc 4245244 libs optional libgit2_1.7.2+ds.orig.tar.xz
 f3796a2294c5b2202d8f43977d37e8f1 18032 libs optional libgit2_1.7.2+ds-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQHIBAEBCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmXEkL0UHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQ+C8H+466LVlTPQwAwqjbdsJqgl9rTIUXHaVNgSme50sJ
7JRdIJ+AG40CtIPcdzILqO2cWTPOGIPo+fXJO6YGtMuY8vtHmk4ZljjSAXzjMhvZ
1+DtyyEaZv5hgjYOepFp9ZOHnxVb2uoi3IkO88TrNNLfJnk4jZTqdHQRu7lsMBbc
G4SlGnluKUs3tSSs3+ODgEPUkqJVFdH0ZfULichNKL3YOXx693d9tmChNus/erNg
xb/C5T/9ufDDAdabzVmStc1l3cRgqZlRGgvjGVktgKI5QSe9CHIrRKvhe6gIOVNo
oZlgqRChv4Ba4eIfMlf+318WpCayQFXUCm4ko5li3qIHd2QlLTqmMoQmbr3feYBb
P0FD45Eo3LW+z0W45a04rui0tYVkXZ2DtKtYJAgL+heepEYWVpUuCLe5uK5yCbEf
1p6k6Wm/hpYIyR39ZT8m/pokqcDnrjwOLg8YYcY9I7KPJ2dh+OrVQzaQdLGQr+VJ
TOre7R6/1fQheFFZSggxSyUXH2SlIjDdCbRN
=8N3y
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.