#VU32000 Buffer overflow in libgit2


Published: 2017-03-24 | Updated: 2020-07-28

Vulnerability identifier: #VU32000

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-10128

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libgit2
Universal components / Libraries / Libraries used by multiple products

Vendor: libgit2.github.com

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libgit2: 0.24.4.0 - 0.25.1.0

External links
http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html
http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html
http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html
http://www.openwall.com/lists/oss-security/2017/01/10/5
http://www.openwall.com/lists/oss-security/2017/01/11/6
http://www.securityfocus.com/bid/95338
http://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2
http://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
http://libgit2.github.com/security/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Buffer overflow in libgit2-1.0 (Alpine package)
Buffer overflow in libgit2.github.com libgit2
Buffer overflow in libgit2-0.27 (Alpine package)
Arch Linux update for libgit2