openSUSE Security Update : libgit2 (openSUSE-2018-922)

Medium Nessus Plugin ID 112139

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for libgit2 to version 0.26.5 fixes the following issues :

The following security vulnerabilities were addressed :

- CVE-2018-10887: Fixed an integer overflow which in turn leads to an out of bound read, allowing to read the base object, which could be exploited by an attacker to cause denial of service (DoS) (bsc#1100613).

- CVE-2018-10888: Fixed an out-of-bound read while reading a binary delta file, which could be exploited by an attacker t ocause a denial of service (DoS) (bsc#1100612).

- CVE-2018-11235: Fixed a remote code execution, which could occur with a crafted .gitmodules file (bsc#1095219)

- CVE-2018-15501: Prevent out-of-bounds reads when processing smart-protocol 'ng' packets (bsc#1104641)

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected libgit2 packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1095219

https://bugzilla.opensuse.org/show_bug.cgi?id=1100612

https://bugzilla.opensuse.org/show_bug.cgi?id=1100613

https://bugzilla.opensuse.org/show_bug.cgi?id=1104641

Plugin Details

Severity: Medium

ID: 112139

File Name: openSUSE-2018-922.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2018/08/28

Modified: 2018/09/07

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSSv3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libgit2-26, p-cpe:/a:novell:opensuse:libgit2-26-32bit, p-cpe:/a:novell:opensuse:libgit2-26-32bit-debuginfo, p-cpe:/a:novell:opensuse:libgit2-26-debuginfo, p-cpe:/a:novell:opensuse:libgit2-debugsource, p-cpe:/a:novell:opensuse:libgit2-devel, cpe:/o:novell:opensuse:15.0

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2018/08/24

Reference Information

CVE: CVE-2018-10887, CVE-2018-10888, CVE-2018-11235, CVE-2018-15501