Your message dated Thu, 08 Feb 2024 08:35:57 +0000 with message-id <e1rxzsz-007dh4...@fasolo.debian.org> and subject line Bug#1063416: fixed in libgit2 1.7.2+ds-1 has caused the Debian Bug report #1063416, regarding libgit2: CVE-2024-24577: Arbitrary code execution due to heap corruption in `git_index_add` to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1063416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063416 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libgit2 Version: 1.7.1+ds-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.5.1+ds-1 Control: found -1 1.1.0+dfsg.1-4+deb11u1 Control: found -1 1.1.0+dfsg.1-4 Hi, The following vulnerability was published for libgit2. CVE-2024-24577[0]: | libgit2 is a portable C implementation of the Git core methods | provided as a linkable library with a solid API, allowing to build | Git functionality into your application. Using well-crafted inputs | to `git_index_add` can cause heap corruption that could be leveraged | for arbitrary code execution. There is an issue in the | `has_dir_name` function in `src/libgit2/index.c`, which frees an | entry that should not be freed. The freed entry is later used and | overwritten with potentially bad actor-controlled data leading to | controlled heap corruption. Depending on the application that uses | libgit2, this could lead to arbitrary code execution. This issue has | been patched in version 1.6.5 and 1.7.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24577 https://www.cve.org/CVERecord?id=CVE-2024-24577 [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8 [2] https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3 [3] https://github.com/libgit2/libgit2/commit/487af0cf6687dc48b0a960fa2f39894e2d84d77b Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libgit2 Source-Version: 1.7.2+ds-1 Done: Timo Röhling <roehl...@debian.org> We believe that the bug you reported is fixed in the latest version of libgit2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Röhling <roehl...@debian.org> (supplier of updated libgit2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 08 Feb 2024 09:10:45 +0100 Source: libgit2 Architecture: source Version: 1.7.2+ds-1 Distribution: unstable Urgency: medium Maintainer: Utkarsh Gupta <utka...@debian.org> Changed-By: Timo Röhling <roehl...@debian.org> Closes: 1063415 1063416 Changes: libgit2 (1.7.2+ds-1) unstable; urgency=medium . * New upstream version 1.7.2+ds - Fix CVE-2024-24575: Denial of service in git_revparse_single (Closes: #1063415) - Fix CVE-2024-24577: Use-after-free in git_index_add (Closes: #1063416) * Build-depend on pkgconf instead of pkg-config Checksums-Sha1: d531f7e28c26d5d24e13dff75c098d25fd106be3 2259 libgit2_1.7.2+ds-1.dsc 9328b17923ad703815b23568f9be9b050a50fb74 4245244 libgit2_1.7.2+ds.orig.tar.xz 128505db2797d7e261898d8b65230897aff3da6f 18032 libgit2_1.7.2+ds-1.debian.tar.xz Checksums-Sha256: fad7efd04bdc2f9ea93fb117f1a3c14e2cf882c0748994993bc424af89cf4375 2259 libgit2_1.7.2+ds-1.dsc fe3e524576e624141f9bf00183c25421aa6d8fb3e90a1793a5f4e9a5360f53af 4245244 libgit2_1.7.2+ds.orig.tar.xz fda27230513e4182496e1c374284d260425c7cf044c883f373320eb0e89f9885 18032 libgit2_1.7.2+ds-1.debian.tar.xz Files: 68868beeefcd70cce7b7fd9689c9b376 2259 libs optional libgit2_1.7.2+ds-1.dsc b86cab767fba4c594e0d68cad0e40ebc 4245244 libs optional libgit2_1.7.2+ds.orig.tar.xz f3796a2294c5b2202d8f43977d37e8f1 18032 libs optional libgit2_1.7.2+ds-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQHIBAEBCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmXEkL0UHHJvZWhsaW5n QGRlYmlhbi5vcmcACgkQ+C8H+466LVlTPQwAwqjbdsJqgl9rTIUXHaVNgSme50sJ 7JRdIJ+AG40CtIPcdzILqO2cWTPOGIPo+fXJO6YGtMuY8vtHmk4ZljjSAXzjMhvZ 1+DtyyEaZv5hgjYOepFp9ZOHnxVb2uoi3IkO88TrNNLfJnk4jZTqdHQRu7lsMBbc G4SlGnluKUs3tSSs3+ODgEPUkqJVFdH0ZfULichNKL3YOXx693d9tmChNus/erNg xb/C5T/9ufDDAdabzVmStc1l3cRgqZlRGgvjGVktgKI5QSe9CHIrRKvhe6gIOVNo oZlgqRChv4Ba4eIfMlf+318WpCayQFXUCm4ko5li3qIHd2QlLTqmMoQmbr3feYBb P0FD45Eo3LW+z0W45a04rui0tYVkXZ2DtKtYJAgL+heepEYWVpUuCLe5uK5yCbEf 1p6k6Wm/hpYIyR39ZT8m/pokqcDnrjwOLg8YYcY9I7KPJ2dh+OrVQzaQdLGQr+VJ TOre7R6/1fQheFFZSggxSyUXH2SlIjDdCbRN =8N3y -----END PGP SIGNATURE-----
--- End Message ---
