libgit2-1_1-1.1.1-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10943 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libgit2-1_1-1.1.1-1.2 on GA media These are all security issues fixed in the libgit2-1_1-1.1.1-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10943 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10943 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2005-4900/ SUSE CVE CVE-2005-4900 page https://www.suse.com/security/cve/CVE-2016-10128/ SUSE CVE CVE-2016-10128 page https://www.suse.com/security/cve/CVE-2016-10130/ SUSE CVE CVE-2016-10130 page https://www.suse.com/security/cve/CVE-2018-10887/ SUSE CVE CVE-2018-10887 page https://www.suse.com/security/cve/CVE-2018-11235/ SUSE CVE CVE-2018-11235 page https://www.suse.com/security/cve/CVE-2018-17456/ SUSE CVE CVE-2018-17456 page https://www.suse.com/security/cve/CVE-2018-8098/ SUSE CVE CVE-2018-8098 page https://www.suse.com/security/cve/CVE-2019-1348/ SUSE CVE CVE-2019-1348 page https://www.suse.com/security/cve/CVE-2019-1349/ SUSE CVE CVE-2019-1349 page https://www.suse.com/security/cve/CVE-2019-1350/ SUSE CVE CVE-2019-1350 page https://www.suse.com/security/cve/CVE-2019-1351/ SUSE CVE CVE-2019-1351 page https://www.suse.com/security/cve/CVE-2019-1352/ SUSE CVE CVE-2019-1352 page https://www.suse.com/security/cve/CVE-2019-1353/ SUSE CVE CVE-2019-1353 page https://www.suse.com/security/cve/CVE-2019-1354/ SUSE CVE CVE-2019-1354 page https://www.suse.com/security/cve/CVE-2019-1387/ SUSE CVE CVE-2019-1387 page openSUSE Tumbleweed libgit2-1_1-1.1.1-1.2 libgit2-1_1-32bit-1.1.1-1.2 libgit2-devel-1.1.1-1.2 libgit2-1_1-1.1.1-1.2 as a component of openSUSE Tumbleweed libgit2-1_1-32bit-1.1.1-1.2 as a component of openSUSE Tumbleweed libgit2-devel-1.1.1-1.2 as a component of openSUSE Tumbleweed SHA-1 is not collision resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks, as demonstrated by attacks on the use of SHA-1 in TLS 1.2. NOTE: this CVE exists to provide a common identifier for referencing this SHA-1 issue; the existence of an identifier is not, by itself, a technology recommendation. CVE-2005-4900 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2005-4900.html CVE-2005-4900 https://bugzilla.suse.com/1026646 SUSE Bug 1026646 https://bugzilla.suse.com/1026936 SUSE Bug 1026936 https://bugzilla.suse.com/1042640 SUSE Bug 1042640 https://bugzilla.suse.com/1150998 SUSE Bug 1150998 Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet. CVE-2016-10128 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10128.html CVE-2016-10128 https://bugzilla.suse.com/1019036 SUSE Bug 1019036 The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable. CVE-2016-10130 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10130.html CVE-2016-10130 https://bugzilla.suse.com/1019037 SUSE Bug 1019037 A flaw was found in libgit2 before version 0.27.3. It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service. CVE-2018-10887 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-10887.html CVE-2018-10887 https://bugzilla.suse.com/1100613 SUSE Bug 1100613 In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. CVE-2018-11235 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11235.html CVE-2018-11235 https://bugzilla.suse.com/1095219 SUSE Bug 1095219 Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character. CVE-2018-17456 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-17456.html CVE-2018-17456 https://bugzilla.suse.com/1110949 SUSE Bug 1110949 Integer overflow in the index.c:read_entry() function while decompressing a compressed prefix length in libgit2 before v0.26.2 allows an attacker to cause a denial of service (out-of-bounds read) via a crafted repository index file. CVE-2018-8098 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-8098.html CVE-2018-8098 https://bugzilla.suse.com/1085256 SUSE Bug 1085256 https://bugzilla.suse.com/1085257 SUSE Bug 1085257 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. The --export-marks option of git fast-import is exposed also via the in-stream command feature export-marks=... and it allows overwriting arbitrary paths. CVE-2019-1348 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1348.html CVE-2019-1348 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. CVE-2019-1349 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1349.html CVE-2019-1349 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158787 SUSE Bug 1158787 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387. CVE-2019-1350 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1350.html CVE-2019-1350 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158788 SUSE Bug 1158788 A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'. CVE-2019-1351 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1351.html CVE-2019-1351 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158789 SUSE Bug 1158789 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387. CVE-2019-1352 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1352.html CVE-2019-1352 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158787 SUSE Bug 1158787 https://bugzilla.suse.com/1158790 SUSE Bug 1158790 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active. CVE-2019-1353 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1353.html CVE-2019-1353 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158791 SUSE Bug 1158791 A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387. CVE-2019-1354 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1354.html CVE-2019-1354 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158792 SUSE Bug 1158792 An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones. CVE-2019-1387 openSUSE Tumbleweed:libgit2-1_1-1.1.1-1.2 openSUSE Tumbleweed:libgit2-1_1-32bit-1.1.1-1.2 openSUSE Tumbleweed:libgit2-devel-1.1.1-1.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1387.html CVE-2019-1387 https://bugzilla.suse.com/1158785 SUSE Bug 1158785 https://bugzilla.suse.com/1158793 SUSE Bug 1158793