Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Jan 2017 11:31:37 +0100
From: Andreas Stieger <astieger@...e.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, cmn@...m.me
Subject: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6

Hello,

libgit2 released:

https://github.com/libgit2/libgit2/releases/tag/v0.25.1
https://github.com/libgit2/libgit2/releases/tag/v0.24.6

with the following two fixes:

[...] performs extra sanitization for some edge cases in the Git Smart
Protocol which can lead to attempting to parse outside of the buffer.

https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a


[...] fix affects the certificate check callback. It provides a valid
parameter to indicate whether the native cryptographic library
considered the certificate to be correct. This parameter is always
1/true before this fix leading to a possible MITM.

This does not affect you if you do not use the custom certificate
callback or if you do not take this value into account. This does affect
you if you use pygit2 or git2go regardless of whether you specify a
certificate check callback.

https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22
https://github.com/libgit2/libgit2/commit/98d66240ecb7765e191da19b535c75c92ccc90fe
https://github.com/libgit2/libgit2/commit/3829ba2e710553893faf6336cc6b2f3fc17a293e
https://github.com/libgit2/libgit2/commit/2ac57aa89bde788173b54bd153430369deec64c0


Could CVEs please be assigned?

Thanks,

Andreas

-- 

Andreas Stieger <astieger@...e.com>
Project Manager Security
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton,
HRB 21284 (AG N├╝rnberg)




[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ