Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-8568 CVE-2016-8569

Source

Debian Bug report logs - #840227
libgit2: CVE-2016-8568 CVE-2016-8569

Package: src:libgit2; Maintainer for src:libgit2 is Russell Sim <russell.sim@gmail.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 9 Oct 2016 18:03:02 UTC

Severity: grave

Tags: confirmed, jessie, security, upstream

Found in versions libgit2/0.21.1-3, libgit2/0.24.1-2

Fixed in version libgit2/0.24.5-1

Done: Pirate Praveen <praveen@onenetbeyond.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#840227; Package src:libgit2. (Sun, 09 Oct 2016 18:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Russell Sim <russell.sim@gmail.com>. (Sun, 09 Oct 2016 18:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: libgit2
Version: 0.24.1-2
Severity: grave
Tags: security upstream

Hi,

the following vulnerabilities were published for libgit2.

CVE-2016-8568[0, 3]:
Read out-of-bounds in git_oid_nfmt

CVE-2016-8569[1, 4]:
DoS using a null pointer dereference in git_commit_message

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-8568
[1] https://security-tracker.debian.org/tracker/CVE-2016-8569
[2] https://marc.info/?l=oss-security&m=147594097425642&w=2
[3] https://github.com/libgit2/libgit2/issues/3936
[4] https://github.com/libgit2/libgit2/issues/3937
[5] https://github.com/libgit2/libgit2/pull/3956

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as fixed in versions libgit2/0.24.2-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 28 Oct 2016 11:09:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#840227; Package src:libgit2. (Tue, 03 Jan 2017 06:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Russell Sim <russell.sim@gmail.com>:
Extra info received and forwarded to list. (Tue, 03 Jan 2017 06:57:03 GMT) (full text, mbox, link).

Message #12 received at submit@bugs.debian.org (full text, mbox, reply):

Hi,

Sorry, I messed this up.

The fix for CVE-2016-8569 was included in the 0.24.2-1 release but the
fix for CVE-2016-8568 wasn't.

Sorry about that, I have pushed a new version to unstable that includes
the fix, the version is 0.24.5-1.  I realised the mistake when I was
reviewing some diffs before an upload yesterday.

Salvatore Bonaccorso <carnil@debian.org> writes:

> Source: libgit2
> Version: 0.24.1-2
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> the following vulnerabilities were published for libgit2.
>
> CVE-2016-8568[0, 3]:
> Read out-of-bounds in git_oid_nfmt
>
> CVE-2016-8569[1, 4]:
> DoS using a null pointer dereference in git_commit_message
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8568
> [1] https://security-tracker.debian.org/tracker/CVE-2016-8569
> [2] https://marc.info/?l=oss-security&m=147594097425642&w=2
> [3] https://github.com/libgit2/libgit2/issues/3936
> [4] https://github.com/libgit2/libgit2/issues/3937
> [5] https://github.com/libgit2/libgit2/pull/3956
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore

-- 
Cheers,
Russell

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#840227; Package src:libgit2. (Tue, 03 Jan 2017 06:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Russell Sim <russell.sim@gmail.com>:
Extra info received and forwarded to list. (Tue, 03 Jan 2017 06:57:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>:
Bug#840227; Package src:libgit2. (Tue, 03 Jan 2017 07:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>. (Tue, 03 Jan 2017 07:48:03 GMT) (full text, mbox, link).

Message #22 received at 840227@bugs.debian.org (full text, mbox, reply):

Hi Russell,

On Tue, Jan 03, 2017 at 05:55:31PM +1100, Russell Sim wrote:
> Hi,
> 
> Sorry, I messed this up.
> 
> The fix for CVE-2016-8569 was included in the 0.24.2-1 release but the
> fix for CVE-2016-8568 wasn't.
> 
> Sorry about that, I have pushed a new version to unstable that includes
> the fix, the version is 0.24.5-1.  I realised the mistake when I was
> reviewing some diffs before an upload yesterday.

Thanks. I have fixed the security-tracker information regarding those
CVEs.

Regards,
Salvatore

Bug 840227 cloned as bug 860989 Request was from Ximin Luo <infinity0@debian.org> to control@bugs.debian.org. (Sun, 23 Apr 2017 09:48:06 GMT) (full text, mbox, link).

No longer marked as fixed in versions libgit2/0.24.2-1. Request was from Russell Sim <russell.sim@gmail.com> to control@bugs.debian.org. (Fri, 28 Apr 2017 07:03:04 GMT) (full text, mbox, link).

Marked as fixed in versions libgit2/0.24.5-1. Request was from Russell Sim <russell.sim@gmail.com> to control@bugs.debian.org. (Fri, 28 Apr 2017 07:03:05 GMT) (full text, mbox, link).

Added tag(s) confirmed and jessie. Request was from Russell Sim <russell.sim@gmail.com> to control@bugs.debian.org. (Fri, 28 Apr 2017 07:03:05 GMT) (full text, mbox, link).

Marked as found in versions libgit2/0.21.1-3. Request was from Russell Sim <russell.sim@gmail.com> to control@bugs.debian.org. (Fri, 28 Apr 2017 07:03:06 GMT) (full text, mbox, link).

Reply sent to Pirate Praveen <praveen@onenetbeyond.org>:
You have taken responsibility. (Wed, 18 Jul 2018 11:15:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 18 Jul 2018 11:15:07 GMT) (full text, mbox, link).

Message #37 received at 840227-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

closing.

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:43:56 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libgit2: CVE-2016-8568 CVE-2016-8569

Debian Bug report logs - #840227
libgit2: CVE-2016-8568 CVE-2016-8569

Vulmon Search

About

Products

Connect

libgit2: CVE-2016-8568 CVE-2016-8569

Debian Bug report logs - #840227 libgit2: CVE-2016-8568 CVE-2016-8569

Vulmon Search

About

Products

Connect

Debian Bug report logs - #840227
libgit2: CVE-2016-8568 CVE-2016-8569