CVE-2018-10887 — HIGH (8.1)

Q: How severe is CVE-2018-10887?

CVE-2018-10887 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-10887?

Check the references section above for vendor advisories and patch information. Affected products include: Libgit2 Libgit2, Debian Debian Linux.

Vulnerability Description

A flaw was found in libgit2 before version 0.27.3. It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libgit2	Libgit2	< 0.27.3
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-194 CWE-190 CWE-681 CWE-125

References

https://bugzilla.redhat.com/show_bug.cgi?id=1598021Issue TrackingPatch
https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffacPatch
https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47dPatch
https://github.com/libgit2/libgit2/releases/tag/v0.27.3PatchRelease Notes
https://lists.debian.org/debian-lts-announce/2018/08/msg00024.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00031.htmlMailing ListThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1598021Issue TrackingPatch
https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffacPatch
https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47dPatch
https://github.com/libgit2/libgit2/releases/tag/v0.27.3PatchRelease Notes
https://lists.debian.org/debian-lts-announce/2018/08/msg00024.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00031.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2018-10887?

CVE-2018-10887 is a vulnerability with a CVSS score of 8.1 (HIGH). A flaw was found in libgit2 before version 0.27.3. It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn le...

How severe is CVE-2018-10887?

CVE-2018-10887 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10887?

Check the references section above for vendor advisories and patch information. Affected products include: Libgit2 Libgit2, Debian Debian Linux.