SB2018050220 - Fedora EPEL 7 update for libgit2, python-pygit2
Published: May 2, 2018 Updated: April 24, 2025
Security Bulletin ID
SB2018050220
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Partial DoS
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Double free (CVE-ID: CVE-2018-8099)
CWE-ID: CWE-415 - Double Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the read_entry() function due to a double free error. A remote attacker can send a specially crafted repository index file, trick the victim into opening it and cause the service to crash.
2) Out-of-bounds read (CVE-ID: CVE-2018-8098)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allow a remote attacker to cause DoS condition on the target system.
The weakness exists in the index.c:read_entry() function due to out-of-bounds read while decompressing a compressed prefix length. A remote attacker can send a specially crafted repository index file, trick the victim into opening it and cause the service to crash.
Remediation
Install update from vendor's website.