CVE-2018-8099 — Double Free in Libgit2

CWE-415 — Double Free CWE-125 — Out-of-bounds Read8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

1.2%

top 21.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libgit2 Debian Libgit2 Debian Linux

Timeline

PublishedMar 14

Latest updateApr 30

Description

Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2 before v0.26.2, which allows an attacker to cause a denial of service via a crafted repository index file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libgit2< libgit2 0.27.0+dfsg.1-0.6 (bookworm)

▶NVDlibgit2/libgit2< 0.26.2

▶Debianlibgit2/libgit2< 0.27.0+dfsg.1-0.6+3

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: libgit2.github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-mhmm-r9x5-v638: Incorrect returning of an error code in the index↗2022-04-30

▶

OSV

CVE-2018-8099: Incorrect returning of an error code in the index↗2018-03-14

▶

📋Vendor Advisories

Red Hat

libgit2: denial of service (DoS) via crafted repository index files↗2018-03-08

▶

Debian

CVE-2018-8099: libgit2 - Incorrect returning of an error code in the index.c:read_entry() function leads ...↗2018

▶

💬Community

Bugzilla

CVE-2018-8099 CVE-2018-8098 libgit2: denial of service (DoS) via crafted repository index files [fedora-all]↗2018-03-12

▶

Bugzilla

CVE-2018-8099 CVE-2018-8098 libgit2: denial of service (DoS) via crafted repository index files [epel-all]↗2018-03-12

▶

Bugzilla

CVE-2018-8099 CVE-2018-8098 libgit2: denial of service (DoS) via crafted repository index files↗2018-03-12

▶