Lucene search

K
gentooGentoo FoundationGLSA-202003-42
HistoryMar 19, 2020 - 12:00 a.m.

libgit2: Multiple vulnerabilities

2020-03-1900:00:00
Gentoo Foundation
security.gentoo.org
13

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.087

Percentile

94.6%

Background

libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API.

Description

Multiple vulnerabilities have been discovered in libgit2. Please review the CVE identifiers referenced below for details.

Impact

An attacker could possibly overwrite arbitrary paths, execute arbitrary code, and overwrite files in the .git directory.

Workaround

There is no known workaround at this time.

Resolution

All libgit2 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libgit2-0.28.4"
OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-libs/libgit2< 0.28.4UNKNOWN

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.087

Percentile

94.6%