CVE-2016-10128 - Vulnerability Details - OpenCVE

Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Libgit2 Project	Libgit2

Configuration 1 [-]

OR	cpe:2.3:a:libgit2_project:libgit2::::::::
	cpe:2.3:a:libgit2_project:libgit2:0.25.0:::::::*
	cpe:2.3:a:libgit2_project:libgit2:0.25.0:rc1::::::
	cpe:2.3:a:libgit2_project:libgit2:0.25.0:rc2::::::

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html
http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html
http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html
http://www.openwall.com/lists/oss-security/2017/01/10/5
http://www.openwall.com/lists/oss-security/2017/01/11/6
http://www.securityfocus.com/bid/95338
https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2
https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834
https://libgit2.github.com/security/

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2017-03-24T15:00:00

Updated: 2024-08-06T03:14:42.380Z

Reserved: 2017-01-10T00:00:00

Link: CVE-2016-10128

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-03-24T15:59:00.153

Modified: 2024-11-21T02:43:21.960

Link: CVE-2016-10128

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-27T09:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"name": "95338", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95338"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://libgit2.github.com/security/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2"}, {"name": "[oss-security] 20170110 CVE Request: two security fixes in libgit2 0.25.1, 0.24.6", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2017/01/10/5"}, {"name": "[oss-security] 20170110 Re: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2017/01/11/6"}, {"name": "openSUSE-SU-2017:0397", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html"}, {"name": "openSUSE-SU-2017:0405", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html"}, {"name": "openSUSE-SU-2017:0484", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2016-10128", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "95338", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95338"}, {"name": "https://libgit2.github.com/security/", "refsource": "CONFIRM", "url": "https://libgit2.github.com/security/"}, {"name": "https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834", "refsource": "CONFIRM", "url": "https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834"}, {"name": "https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2", "refsource": "CONFIRM", "url": "https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2"}, {"name": "[oss-security] 20170110 CVE Request: two security fixes in libgit2 0.25.1, 0.24.6", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2017/01/10/5"}, {"name": "[oss-security] 20170110 Re: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2017/01/11/6"}, {"name": "openSUSE-SU-2017:0397", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html"}, {"name": "openSUSE-SU-2017:0405", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html"}, {"name": "openSUSE-SU-2017:0484", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T03:14:42.380Z"}, "title": "CVE Program Container", "references": [{"name": "95338", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95338"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://libgit2.github.com/security/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2"}, {"name": "[oss-security] 20170110 CVE Request: two security fixes in libgit2 0.25.1, 0.24.6", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2017/01/10/5"}, {"name": "[oss-security] 20170110 Re: CVE Request: two security fixes in libgit2 0.25.1, 0.24.6", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2017/01/11/6"}, {"name": "openSUSE-SU-2017:0397", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html"}, {"name": "openSUSE-SU-2017:0405", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html"}, {"name": "openSUSE-SU-2017:0484", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2016-10128", "datePublished": "2017-03-24T15:00:00", "dateReserved": "2017-01-10T00:00:00", "dateUpdated": "2024-08-06T03:14:42.380Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libgit2_project:libgit2:*:*:*:*:*:*:*:*", "matchCriteriaId": "6747DEC6-17F3-45F9-B98B-5161469D89F7", "versionEndIncluding": "0.24.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:libgit2_project:libgit2:0.25.0:*:*:*:*:*:*:*", "matchCriteriaId": "157A6552-8A3B-42B7-8BA3-24B03BD7812E", "vulnerable": true}, {"criteria": "cpe:2.3:a:libgit2_project:libgit2:0.25.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "EB081C3A-79B4-48A9-B6C2-46641293244B", "vulnerable": true}, {"criteria": "cpe:2.3:a:libgit2_project:libgit2:0.25.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "D0A1B2E8-B0EC-41B9-A8B2-DD6A0A8DF14C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to have unspecified impact via a crafted non-flush packet."}, {"lang": "es", "value": "Desbordamiento de b\u00fafer en la funci\u00f3n git_pkt_parse_line en transports/smart_pkt.c en el soporte Git Smart Protocol en libgit2 en versiones anteriores a 0.24.6 y 0.25.x en versiones anteriores a 0.25.1 permite a atacantes remotos tener impacto no especificado a trav\u00e9s de un paquete non-flush manipulado."}], "id": "CVE-2016-10128", "lastModified": "2024-11-21T02:43:21.960", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-24T15:59:00.153", "references": [{"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html"}, {"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html"}, {"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html"}, {"source": "security@debian.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/01/10/5"}, {"source": "security@debian.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/01/11/6"}, {"source": "security@debian.org", "url": "http://www.securityfocus.com/bid/95338"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834"}, {"source": "security@debian.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://libgit2.github.com/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/01/10/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2017/01/11/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/95338"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/libgit2/libgit2/commit/4ac39c76c0153d1ee6889a0984c39e97731684b2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/libgit2/libgit2/commit/66e3774d279672ee51c3b54545a79d20d1ada834"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://libgit2.github.com/security/"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}