CVE-2018-10887

NameCVE-2018-10887
DescriptionA flaw was found in libgit2 before version 0.27.3. It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs903509

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgit2 (PTS)jessie0.21.1-3vulnerable
stretch0.25.1+really0.24.6-1vulnerable
buster0.26.0+dfsg.1-1.2vulnerable
sid0.27.0+dfsg.1-0.8vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgit2source(unstable)(unfixed)903509

Notes

https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a
https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d22

Search for package or bug name: Reporting problems