MGASA-2019-0391 - Updated libgit2 packages fix security vulnerabilities

Publication date: 15 Dec 2019
URL: https://advisories.mageia.org/MGASA-2019-0391.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-1348,
     CVE-2019-1350,
     CVE-2019-1387

libgit2 has been updated to version 0.28.4 to fix several security issues:

* A carefully constructed commit object with a very large number
  of parents may lead to potential out-of-bounds writes or
  potential denial of service.

* CVE-2019-1348: the fast-import stream command "feature
  export-marks=path" allows writing to arbitrary file paths. As
  libgit2 does not offer any interface for fast-import, it is not
  susceptible to this vulnerability.

* CVE-2019-1350: recursive clones may lead to arbitrary remote
  code executing due to improper quoting of command line
  arguments. As libgit2 uses libssh2, which does not require us
  to perform command line parsing, it is not susceptible to this
  vulnerability.

* CVE-2019-1387: it is possible to let a submodule's git
  directory point into a sibling's submodule directory, which may
  result in overwriting parts of the Git repository and thus lead
  to arbitrary command execution. As libgit2 doesn't provide any
  way to do submodule clones natively, it is not susceptible to
  this vulnerability. Users of libgit2 that have implemented
  recursive submodule clones manually are encouraged to review
 their implementation for this vulnerability.

References:
- https://bugs.mageia.org/show_bug.cgi?id=25348
- https://github.com/libgit2/libgit2/releases/tag/v0.28.3
- https://github.com/libgit2/libgit2/releases/tag/v0.28.4
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1348
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1350
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387

SRPMS:
- 7/core/libgit2-0.28.4-1.mga7