Main Vulnerability Database SB2017011021

SB2017011021 - Fedora 25 update for libgit2

Published: January 10, 2017 Updated: April 24, 2025

Security Bulletin ID SB2017011021

Severity

High

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2016-10128)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet.

2) NULL pointer dereference (CVE-ID: CVE-2016-10129)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via an empty packet line.

3) Improper access control (CVE-ID: CVE-2016-10130)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2017-2ddf7d452a