Your message dated Sat, 10 Feb 2024 17:18:07 +0000 with message-id <e1ryqzp-002jy1...@fasolo.debian.org> and subject line Bug#1063416: fixed in libgit2 1.1.0+dfsg.1-4+deb11u2 has caused the Debian Bug report #1063416, regarding libgit2: CVE-2024-24577: Arbitrary code execution due to heap corruption in `git_index_add` to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1063416: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063416 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libgit2 Version: 1.7.1+ds-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.5.1+ds-1 Control: found -1 1.1.0+dfsg.1-4+deb11u1 Control: found -1 1.1.0+dfsg.1-4 Hi, The following vulnerability was published for libgit2. CVE-2024-24577[0]: | libgit2 is a portable C implementation of the Git core methods | provided as a linkable library with a solid API, allowing to build | Git functionality into your application. Using well-crafted inputs | to `git_index_add` can cause heap corruption that could be leveraged | for arbitrary code execution. There is an issue in the | `has_dir_name` function in `src/libgit2/index.c`, which frees an | entry that should not be freed. The freed entry is later used and | overwritten with potentially bad actor-controlled data leading to | controlled heap corruption. Depending on the application that uses | libgit2, this could lead to arbitrary code execution. This issue has | been patched in version 1.6.5 and 1.7.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24577 https://www.cve.org/CVERecord?id=CVE-2024-24577 [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8 [2] https://github.com/libgit2/libgit2/commit/eb4c1716cd92bf56f2770653a915d5fc01eab8f3 [3] https://github.com/libgit2/libgit2/commit/487af0cf6687dc48b0a960fa2f39894e2d84d77b Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libgit2 Source-Version: 1.1.0+dfsg.1-4+deb11u2 Done: Timo Röhling <roehl...@debian.org> We believe that the bug you reported is fixed in the latest version of libgit2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Röhling <roehl...@debian.org> (supplier of updated libgit2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 08 Feb 2024 18:22:27 +0100 Source: libgit2 Architecture: source Version: 1.1.0+dfsg.1-4+deb11u2 Distribution: bullseye-security Urgency: medium Maintainer: Utkarsh Gupta <utka...@debian.org> Changed-By: Timo Röhling <roehl...@debian.org> Closes: 1063416 Changes: libgit2 (1.1.0+dfsg.1-4+deb11u2) bullseye-security; urgency=medium . * Team upload. * Fix CVE-2024-24577: Use-after-free in git_index_add (Closes: #1063416) Checksums-Sha1: f7a69de6a18130ce4a10aafb67c404b1cd8b4976 2102 libgit2_1.1.0+dfsg.1-4+deb11u2.dsc b32593dbbf0e7a382118cc144cb9bcb4c22f33a7 2901284 libgit2_1.1.0+dfsg.1.orig.tar.xz 954b44ae15486815f7285209d6efedba2843f9d5 20560 libgit2_1.1.0+dfsg.1-4+deb11u2.debian.tar.xz 34ddd7c068e1ed32607fba15545684a39852ce5b 7443 libgit2_1.1.0+dfsg.1-4+deb11u2_source.buildinfo Checksums-Sha256: eb1c04a727f1f6f2b53ac590f907d4457476ffe824b34c45914d425432d74e14 2102 libgit2_1.1.0+dfsg.1-4+deb11u2.dsc d3eba7909c5df1023c25a44ead8ee97cfc36da91a84ca50837d90f4521cf4e04 2901284 libgit2_1.1.0+dfsg.1.orig.tar.xz 5877ffeb58beba1b318d26e0da72ec8bccea488084330dff0c8340f4e90f8345 20560 libgit2_1.1.0+dfsg.1-4+deb11u2.debian.tar.xz 62c2b8bdeec8f9fa90ec26e40720f42016aed0f8afb43838972ca35de0963952 7443 libgit2_1.1.0+dfsg.1-4+deb11u2_source.buildinfo Files: c9ce9900f3c7b2e197a26fb903e507b2 2102 libs optional libgit2_1.1.0+dfsg.1-4+deb11u2.dsc 950f6512ff615d6ad968b6f26eafff57 2901284 libs optional libgit2_1.1.0+dfsg.1.orig.tar.xz 3536568eba5f489313dd45b7735fcaad 20560 libs optional libgit2_1.1.0+dfsg.1-4+deb11u2.debian.tar.xz 23cc9fa3c38b0e78afec18e3bde15890 7443 libs optional libgit2_1.1.0+dfsg.1-4+deb11u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmXFLz0ACgkQ+C8H+466 LVk1YwwAuMjmVbJW2lrY4bjgdicLkcwVw8soXEM6T0CWS29x84GupTYxCUgyzMyg grHRME6oO5zUFKYVUHyalc8aLJmwjJDsdoXyDjelAbeYhJb35tZevKP+AD8Y47Dv 4O1xnvnNjVieTUfMo4KBj7MO7xZWh6STtUtqwoCDVn7ChGc5iDnka3V5c0KBQSxb iDgeRiHob0GM4QvgbrW3swn4g6HAKdCoj12LuU8tX8t+z6QtN6erbNdATrb2osOa OC6eYdqa0SGD8dkKA2mqKWMk/fQMIItKO+Lk5bmT2pg5DMYAtFyAS/zb7W5/hMpN +8JV5wCk5bFGgd1DowJtW0kp7hDi4dmB5oQ1vmtE3cXXEXIPWdqsCJCY+pAQx2rX wuHn7LorTzEV0aMHWa8pFLFoe/oJHEB+jdhzJOzEv0/rw1u8DZoKaVe1+EpHhWsk Nk9b7aJE7Klq0b7nXiPZw9NKr9e4oyeDugX0W4EY3LX6B93Z/H1CHHC+Z8AAbsng KBgLQSi1 =yNeZ -----END PGP SIGNATURE-----
--- End Message ---
