CVE-2016-8568 — MEDIUM (5.5)

Q: What is CVE-2016-8568?

CVE-2016-8568 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The git_commit_message function in oid.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file.

Q: How severe is CVE-2016-8568?

CVE-2016-8568 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-8568?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Opensuse Leap, Opensuse Opensuse, Suse Linux Enterprise, Libgit2 Project Libgit2.

Vulnerability Description

The git_commit_message function in oid.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file.

CVSS Score

5.5

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Fedoraproject	Fedora	23
Opensuse	Leap	42.1
Opensuse	Opensuse	13.2
Suse	Linux Enterprise	12.0
Libgit2 Project	Libgit2	<= 0.24.2

Related Weaknesses (CWE)

CWE-125

References

http://lists.opensuse.org/opensuse-updates/2016-12/msg00075.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00103.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00110.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00114.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/08/7Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/93466Third Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1383211Issue Tracking
https://github.com/libgit2/libgit2/issues/3936Issue TrackingPatchThird Party Advisory
https://github.com/libgit2/libgit2/releases/tag/v0.24.3Issue TrackingPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
http://lists.opensuse.org/opensuse-updates/2016-12/msg00075.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00103.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2017-01/msg00110.htmlThird Party Advisory

FAQ

What is CVE-2016-8568?

CVE-2016-8568 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The git_commit_message function in oid.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file.

How severe is CVE-2016-8568?

CVE-2016-8568 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-8568?

Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Opensuse Leap, Opensuse Opensuse, Suse Linux Enterprise, Libgit2 Project Libgit2.