Debian Bug report logs -
#840227
libgit2: CVE-2016-8568 CVE-2016-8569
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 9 Oct 2016 18:03:02 UTC
Severity: grave
Tags: confirmed, jessie, security, upstream
Found in versions libgit2/0.21.1-3, libgit2/0.24.1-2
Fixed in version libgit2/0.24.5-1
Done: Pirate Praveen <praveen@onenetbeyond.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Russell Sim <russell.sim@gmail.com>
:
Bug#840227
; Package src:libgit2
.
(Sun, 09 Oct 2016 18:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Russell Sim <russell.sim@gmail.com>
.
(Sun, 09 Oct 2016 18:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgit2
Version: 0.24.1-2
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for libgit2.
CVE-2016-8568[0, 3]:
Read out-of-bounds in git_oid_nfmt
CVE-2016-8569[1, 4]:
DoS using a null pointer dereference in git_commit_message
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-8568
[1] https://security-tracker.debian.org/tracker/CVE-2016-8569
[2] https://marc.info/?l=oss-security&m=147594097425642&w=2
[3] https://github.com/libgit2/libgit2/issues/3936
[4] https://github.com/libgit2/libgit2/issues/3937
[5] https://github.com/libgit2/libgit2/pull/3956
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as fixed in versions libgit2/0.24.2-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 28 Oct 2016 11:09:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#840227
; Package src:libgit2
.
(Tue, 03 Jan 2017 06:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Russell Sim <russell.sim@gmail.com>
:
Extra info received and forwarded to list.
(Tue, 03 Jan 2017 06:57:03 GMT) (full text, mbox, link).
Message #12 received at submit@bugs.debian.org (full text, mbox, reply):
Hi,
Sorry, I messed this up.
The fix for CVE-2016-8569 was included in the 0.24.2-1 release but the
fix for CVE-2016-8568 wasn't.
Sorry about that, I have pushed a new version to unstable that includes
the fix, the version is 0.24.5-1. I realised the mistake when I was
reviewing some diffs before an upload yesterday.
Salvatore Bonaccorso <carnil@debian.org> writes:
> Source: libgit2
> Version: 0.24.1-2
> Severity: grave
> Tags: security upstream
>
> Hi,
>
> the following vulnerabilities were published for libgit2.
>
> CVE-2016-8568[0, 3]:
> Read out-of-bounds in git_oid_nfmt
>
> CVE-2016-8569[1, 4]:
> DoS using a null pointer dereference in git_commit_message
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-8568
> [1] https://security-tracker.debian.org/tracker/CVE-2016-8569
> [2] https://marc.info/?l=oss-security&m=147594097425642&w=2
> [3] https://github.com/libgit2/libgit2/issues/3936
> [4] https://github.com/libgit2/libgit2/issues/3937
> [5] https://github.com/libgit2/libgit2/pull/3956
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
--
Cheers,
Russell
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#840227
; Package src:libgit2
.
(Tue, 03 Jan 2017 06:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Russell Sim <russell.sim@gmail.com>
:
Extra info received and forwarded to list.
(Tue, 03 Jan 2017 06:57:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Russell Sim <russell.sim@gmail.com>
:
Bug#840227
; Package src:libgit2
.
(Tue, 03 Jan 2017 07:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Russell Sim <russell.sim@gmail.com>
.
(Tue, 03 Jan 2017 07:48:03 GMT) (full text, mbox, link).
Message #22 received at 840227@bugs.debian.org (full text, mbox, reply):
Hi Russell,
On Tue, Jan 03, 2017 at 05:55:31PM +1100, Russell Sim wrote:
> Hi,
>
> Sorry, I messed this up.
>
> The fix for CVE-2016-8569 was included in the 0.24.2-1 release but the
> fix for CVE-2016-8568 wasn't.
>
> Sorry about that, I have pushed a new version to unstable that includes
> the fix, the version is 0.24.5-1. I realised the mistake when I was
> reviewing some diffs before an upload yesterday.
Thanks. I have fixed the security-tracker information regarding those
CVEs.
Regards,
Salvatore
Bug 840227 cloned as bug 860989
Request was from Ximin Luo <infinity0@debian.org>
to control@bugs.debian.org
.
(Sun, 23 Apr 2017 09:48:06 GMT) (full text, mbox, link).
No longer marked as fixed in versions libgit2/0.24.2-1.
Request was from Russell Sim <russell.sim@gmail.com>
to control@bugs.debian.org
.
(Fri, 28 Apr 2017 07:03:04 GMT) (full text, mbox, link).
Marked as fixed in versions libgit2/0.24.5-1.
Request was from Russell Sim <russell.sim@gmail.com>
to control@bugs.debian.org
.
(Fri, 28 Apr 2017 07:03:05 GMT) (full text, mbox, link).
Added tag(s) confirmed and jessie.
Request was from Russell Sim <russell.sim@gmail.com>
to control@bugs.debian.org
.
(Fri, 28 Apr 2017 07:03:05 GMT) (full text, mbox, link).
Marked as found in versions libgit2/0.21.1-3.
Request was from Russell Sim <russell.sim@gmail.com>
to control@bugs.debian.org
.
(Fri, 28 Apr 2017 07:03:06 GMT) (full text, mbox, link).
Reply sent
to Pirate Praveen <praveen@onenetbeyond.org>
:
You have taken responsibility.
(Wed, 18 Jul 2018 11:15:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 18 Jul 2018 11:15:07 GMT) (full text, mbox, link).
Message #37 received at 840227-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
closing.
[signature.asc (application/pgp-signature, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:43:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.