Candidate: CVE-2018-10887
PublicDate: 2018-07-10 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10887
 https://bugzilla.redhat.com/show_bug.cgi?id=1598021
 https://github.com/libgit2/libgit2/releases/tag/v0.27.3
Description:
 A flaw was found in libgit2 before version 0.27.3. It has been discovered
 that an unexpected sign extension in git_delta_apply function in delta.c
 file may lead to an integer overflow which in turn leads to an out of bound
 read, allowing to read before the base object. An attacker may use this
 flaw to leak memory addresses or cause a Denial of Service.
Ubuntu-Description:
 It was discovered that libgit2 mishandled specially crafted input. If a victim
 were tricked into cloning a malicious repository or applying a malicious
 patch, an attacker could cause libgit2 to leak sensitive information or crash.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: mikesalvatore
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H [8.1 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H [8.1 HIGH]


Patches_libgit2:
 other: https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a
 other: https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d22
upstream_libgit2: released (0.27.4+dfsg.1-0.1)
precise/esm_libgit2: DNE
trusty_libgit2: released (0.19.0-2ubuntu0.4)
trusty/esm_libgit2: released (0.19.0-2ubuntu0.4)

xenial_libgit2: released (0.24.1-2ubuntu0.2)

artful_libgit2: ignored (reached end-of-life)
bionic_libgit2: released (0.26.0+dfsg.1-1.1ubuntu0.2)

devel_libgit2: not-affected (0.27.4+dfsg.1-0.1)