Your message dated Sat, 10 Feb 2024 17:17:18 +0000 with message-id <e1ryqyc-002jrf...@fasolo.debian.org> and subject line Bug#1063416: fixed in libgit2 1.5.1+ds-1+deb12u1 has caused the Debian Bug report #1063416, regarding libgit2: CVE-2024-24577: Arbitrary code execution due to heap corruption in `git_index_add` to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1063416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063416 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libgit2 Version: 1.7.1+ds-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.5.1+ds-1 Control: found -1 1.1.0+dfsg.1-4+deb11u1 Control: found -1 1.1.0+dfsg.1-4 Hi, The following vulnerability was published for libgit2. CVE-2024-24577[0]: | libgit2 is a portable C implementation of the Git core methods | provided as a linkable library with a solid API, allowing to build | Git functionality into your application. Using well-crafted inputs | to `git_index_add` can cause heap corruption that could be leveraged | for arbitrary code execution. There is an issue in the | `has_dir_name` function in `src/libgit2/index.c`, which frees an | entry that should not be freed. The freed entry is later used and | overwritten with potentially bad actor-controlled data leading to | controlled heap corruption. Depending on the application that uses | libgit2, this could lead to arbitrary code execution. This issue has | been patched in version 1.6.5 and 1.7.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24577 https://www.cve.org/CVERecord?id=CVE-2024-24577 [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8 [2] https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3 [3] https://github.com/libgit2/libgit2/commit/487af0cf6687dc48b0a960fa2f39894e2d84d77b Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libgit2 Source-Version: 1.5.1+ds-1+deb12u1 Done: Timo Röhling <roehl...@debian.org> We believe that the bug you reported is fixed in the latest version of libgit2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Röhling <roehl...@debian.org> (supplier of updated libgit2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 08 Feb 2024 12:31:43 +0100 Source: libgit2 Architecture: source Version: 1.5.1+ds-1+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: Utkarsh Gupta <utka...@debian.org> Changed-By: Timo Röhling <roehl...@debian.org> Closes: 1063415 1063416 Changes: libgit2 (1.5.1+ds-1+deb12u1) bookworm-security; urgency=high . * Team upload. * Fix CVE-2024-24575: Denial of service attack in git_revparse_single (Closes: #1063415) * Fix CVE-2024-24577: Use-after-free in git_index_add (Closes: #1063416) Checksums-Sha1: 8d7b4020ea6712a2c9df2a791bb7bfc22d02477f 2112 libgit2_1.5.1+ds-1+deb12u1.dsc dd806b1ada676e13c58924f4b0326aafc236407f 3077056 libgit2_1.5.1+ds.orig.tar.xz 9eed581e0778a7c8bf15a78b06102bd44f8e4d37 19664 libgit2_1.5.1+ds-1+deb12u1.debian.tar.xz 109e671818f976c5fa2b0b2be08d505481040f0b 7540 libgit2_1.5.1+ds-1+deb12u1_source.buildinfo Checksums-Sha256: b4de836d38cb2aca2687420754c5fa955f719934b92a4213d787d0b7dc2abebf 2112 libgit2_1.5.1+ds-1+deb12u1.dsc 96369433500bb528f036c16be9921bd437c098b745f1aaeccb91290815518970 3077056 libgit2_1.5.1+ds.orig.tar.xz e869077309d8fa0bc56701970af7c6908d02674a89271f7cb29cb31814b69382 19664 libgit2_1.5.1+ds-1+deb12u1.debian.tar.xz 2e079099eb44ce076880d17d64bbce05ea6fce830a6ce6779acc1fa080cdca61 7540 libgit2_1.5.1+ds-1+deb12u1_source.buildinfo Files: 0bf1984ee3362089aa4c5f769ede1037 2112 libs optional libgit2_1.5.1+ds-1+deb12u1.dsc e2c43b37fee144c89732adce700fba75 3077056 libs optional libgit2_1.5.1+ds.orig.tar.xz 72c3b51c443d6129da0fe7038f2c7966 19664 libs optional libgit2_1.5.1+ds-1+deb12u1.debian.tar.xz 267a637ab08981fb917804e3f19fbed9 7540 libs optional libgit2_1.5.1+ds-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmXFMGoACgkQ+C8H+466 LVljQAv/TF2BUoNgVelUvm7+34Qym/YcJ6qSD4Tmhf1t42E21/pZY1gqlprjx8pG iDqjdXYBU85sYl29i5ne7Cl32IU1eu4+/pyYMcDFrx/l7eYN1oTB2YPwIlqTwk7A 2+10za8jO3t0v25F6PkI2kUGQk02MuIPgKTnPG8d+jSI6Rv5O4VmobFuAUX2HUvu dFwPgwla4dnP3TtHOqTw0ZBUkJUis8FjKZqaEQNywOAeh26Rr/MYmcl6IW8FhJ9N XzO+pB+D4WjpgI0sK7OSekRhvNldzwt7OlFvfGwEvdX6g7hLmeeumFk4X2QPDX1P 4+k+iCUPGyQzJvL9u+LUsbmbS976Svs0VcLkTwEamRALt2gbvCKXWstpBBlDmpTT tGbGK5zaNi5LAZa3l+6Xn2KZ8cE8M8anTpg+QZG1JyTbq3QVahHpMovOo0U444ld kE3AiFuCn+AQ1bYcnPZH6i29sHSZ0dM/zhLQjT4wnrqu14WDJxAplOXUXXIOrMyp 7GLk0GCC =ZmFL -----END PGP SIGNATURE-----
--- End Message ---
