Candidate: CVE-2018-8098
PublicDate: 2018-03-14 00:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8098
 https://github.com/libgit2/libgit2/commit/3207ddb0103543da8ad2139ec6539f590f9900c1
 https://github.com/libgit2/libgit2/commit/3db1af1f370295ad5355b8f64b865a2a357bcac0
 https://libgit2.github.com/security/
Description:
 Integer overflow in the index.c:read_entry() function while decompressing a
 compressed prefix length in libgit2 before v0.26.2 allows an attacker to
 cause a denial of service (out-of-bounds read) via a crafted repository
 index file.
Ubuntu-Description:
Notes:
 msalvatore> Downgrading to low: "As the index is never transferred via the
             network, exploitation requires an attacker to have access to the
             local repository."
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892961
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]


Patches_libgit2:
upstream_libgit2: released (0.27.4+dfsg.1-0.1)
precise/esm_libgit2: DNE
trusty_libgit2: ignored (out of standard support)
trusty/esm_libgit2: needed
xenial_libgit2: ignored (end of standard support, was needed)
artful_libgit2: ignored (reached end-of-life)
bionic_libgit2: needed
cosmic_libgit2: not-affected (0.27.4+dfsg.1-0.1)
disco_libgit2: not-affected (0.27.4+dfsg.1-0.1)
eoan_libgit2: not-affected (0.27.4+dfsg.1-0.1)
focal_libgit2: not-affected (0.27.4+dfsg.1-0.1)
groovy_libgit2: not-affected (0.27.4+dfsg.1-0.1)
hirsute_libgit2: not-affected (0.27.4+dfsg.1-0.1)
impish_libgit2: not-affected (0.27.4+dfsg.1-0.1)
jammy_libgit2: not-affected (0.27.4+dfsg.1-0.1)
devel_libgit2: not-affected (0.27.4+dfsg.1-0.1)