The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via an empty packet line.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers     to cause a denial of service (NULL pointer dereference) via an empty packet line. (CVE-2016-10129)

Note that Nessus relies on the presence of the package as reported by the vendor.

This update for libgit2 fixes the several issues.

These security issues were fixed :

  - CVE-2016-10128: Additional sanitization prevent some     edge cases in the Git Smart Protocol which can lead to     reading outside of a buffer (bsc#1019036).

  - CVE-2016-10129: Additional sanitization prevent some     edge cases in the Git Smart Protocol which can lead to     reading outside of a buffer (bsc#1019036).

  - CVE-2016-10130: When using the custom certificate     callback or when using pygit2 or git2go a attacker could     have caused an invalid certificate to be accepted     (bsc#1019037).

  - CVE-2017-5338: When using the custom certificate     callback or when using pygit2 or git2go a attacker could     have caused an invalid certificate to be accepted     (bsc#1019037).

  - CVE-2017-5339: When using the custom certificate     callback or when using pygit2 or git2go a attacker could     have caused an invalid certificate to be accepted     (bsc#1019037).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for libgit2 fixes the following issues :

  - CVE-2016-10130: When using the custom certificate     callback or when using pygit2 or git2go a attacker could     have caused an invalid certificate to be accepted     (bsc#1019037).

  - CVE-2017-5338: When using the custom certificate     callback or when using pygit2 or git2go a attacker could     have caused an invalid certificate to be accepted     (bsc#1019037).

  - CVE-2017-5339: When using the custom certificate     callback or when using pygit2 or git2go a attacker could     have caused an invalid certificate to be accepted     (bsc#1019037).

  - CVE-2016-10128: Additional sanitization prevent some     edge cases in the Git Smart Protocol which can lead to     reading outside of a buffer (bsc#1019036).

  - CVE-2016-10129: Additional sanitization prevent some     edge cases in the Git Smart Protocol which can lead to     reading outside of a buffer (bsc#1019036).

ID	Name	Product	Family	Severity
254962	Linux Distros Unpatched Vulnerability : CVE-2016-10129	Nessus	Misc.	high
97282	openSUSE Security Update : libgit2 (openSUSE-2017-262)	Nessus	SuSE Local Security Checks	critical
97074	openSUSE Security Update : libgit2 (openSUSE-2017-213)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2016-10129

high

Tenable Plugins

high

critical

critical