VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 18, 2018· Updated Aug 5, 2024

CVE-2018-15501

CVE-2018-15501

Description

In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27.x before 0.27.4, a remote attacker can send a crafted smart-protocol "ng" packet that lacks a '\0' byte to trigger an out-of-bounds read that leads to DoS.

Affected products

4

Patches

3
e98d0a37c935

Merge pull request #4757 from pks-t/pks/v0.26.6

https://github.com/libgit2/libgit2Patrick SteinhardtAug 6, 2018via osv
commit
4 files changed · +26 4
  • CHANGELOG.md+15 0 modified
    @@ -1,3 +1,18 @@
+v0.26.6
+-------
+
+This is a security release fixing out-of-bounds reads when
+processing smart-protocol "ng" packets.
+
+When parsing an "ng" packet, we keep track of both the current position
+as well as the remaining length of the packet itself. But instead of
+taking care not to exceed the length, we pass the current pointer's
+position to `strchr`, which will search for a certain character until
+hitting NUL. It is thus possible to create a crafted packet which
+doesn't contain a NUL byte to trigger an out-of-bounds read.
+
+The issue was discovered by the oss-fuzz project, issue 9406.
+
 v0.26.5
 -------
  • include/git2/version.h+2 2 modified
    @@ -7,10 +7,10 @@
 #ifndef INCLUDE_git_version_h__
 #define INCLUDE_git_version_h__
 
-#define LIBGIT2_VERSION "0.26.5"
+#define LIBGIT2_VERSION "0.26.6"
 #define LIBGIT2_VER_MAJOR 0
 #define LIBGIT2_VER_MINOR 26
-#define LIBGIT2_VER_REVISION 5
+#define LIBGIT2_VER_REVISION 6
 #define LIBGIT2_VER_PATCH 0
 
 #define LIBGIT2_SOVERSION 26
  • src/transports/smart_pkt.c+8 2 modified
    @@ -299,8 +299,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
 	pkt->ref = NULL;
 	pkt->type = GIT_PKT_NG;
 
+	if (len < 3)
+		goto out_err;
 	line += 3; /* skip "ng " */
-	if (!(ptr = strchr(line, ' ')))
+	len -= 3;
+	if (!(ptr = memchr(line, ' ', len)))
 		goto out_err;
 	len = ptr - line;
 
@@ -311,8 +314,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
 	memcpy(pkt->ref, line, len);
 	pkt->ref[len] = '\0';
 
+	if (len < 1)
+		goto out_err;
 	line = ptr + 1;
-	if (!(ptr = strchr(line, '\n')))
+	len -= 1;
+	if (!(ptr = memchr(line, '\n', len)))
 		goto out_err;
 	len = ptr - line;
  • .travis.yml+1 0 modified
    @@ -37,6 +37,7 @@ addons:
     - valgrind
 
 sudo: false
+osx_image: xcode8.3
 
 matrix:
  fast_finish: true
8b89f362a34f

Merge pull request #4756 from pks-t/pks/v0.27.4

https://github.com/libgit2/libgit2Patrick SteinhardtAug 6, 2018via osv
commit
4 files changed · +26 4
  • CHANGELOG.md+15 0 modified
    @@ -1,3 +1,18 @@
+v0.27.4
+-------
+
+This is a security release fixing out-of-bounds reads when
+processing smart-protocol "ng" packets.
+
+When parsing an "ng" packet, we keep track of both the current position
+as well as the remaining length of the packet itself. But instead of
+taking care not to exceed the length, we pass the current pointer's
+position to `strchr`, which will search for a certain character until
+hitting NUL. It is thus possible to create a crafted packet which
+doesn't contain a NUL byte to trigger an out-of-bounds read.
+
+The issue was discovered by the oss-fuzz project, issue 9406.
+
 v0.27.3
 -------
  • include/git2/version.h+2 2 modified
    @@ -7,10 +7,10 @@
 #ifndef INCLUDE_git_version_h__
 #define INCLUDE_git_version_h__
 
-#define LIBGIT2_VERSION "0.27.3"
+#define LIBGIT2_VERSION "0.27.4"
 #define LIBGIT2_VER_MAJOR 0
 #define LIBGIT2_VER_MINOR 27
-#define LIBGIT2_VER_REVISION 3
+#define LIBGIT2_VER_REVISION 4
 #define LIBGIT2_VER_PATCH 0
 
 #define LIBGIT2_SOVERSION 27
  • src/transports/smart_pkt.c+8 2 modified
    @@ -299,8 +299,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
 	pkt->ref = NULL;
 	pkt->type = GIT_PKT_NG;
 
+	if (len < 3)
+		goto out_err;
 	line += 3; /* skip "ng " */
-	if (!(ptr = strchr(line, ' ')))
+	len -= 3;
+	if (!(ptr = memchr(line, ' ', len)))
 		goto out_err;
 	len = ptr - line;
 
@@ -311,8 +314,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
 	memcpy(pkt->ref, line, len);
 	pkt->ref[len] = '\0';
 
+	if (len < 1)
+		goto out_err;
 	line = ptr + 1;
-	if (!(ptr = strchr(line, '\n')))
+	len -= 1;
+	if (!(ptr = memchr(line, '\n', len)))
 		goto out_err;
 	len = ptr - line;
  • .travis.yml+1 0 modified
    @@ -21,6 +21,7 @@ env:
   - OPTIONS="-DTHREADSAFE=OFF -DBUILD_EXAMPLES=ON -DENABLE_WERROR=ON"
 
 dist: trusty
+osx_image: xcode8.3
 sudo: false
 
 addons:
1f9a8510e1d2

smart_pkt: fix potential OOB-read when processing ng packet

https://github.com/libgit2/libgit2Patrick SteinhardtJul 19, 2018via osv
commit
1 file changed · +8 2
  • src/transports/smart_pkt.c+8 2 modified
    @@ -299,8 +299,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
 	pkt->ref = NULL;
 	pkt->type = GIT_PKT_NG;
 
+	if (len < 3)
+		goto out_err;
 	line += 3; /* skip "ng " */
-	if (!(ptr = strchr(line, ' ')))
+	len -= 3;
+	if (!(ptr = memchr(line, ' ', len)))
 		goto out_err;
 	len = ptr - line;
 
@@ -311,8 +314,11 @@ static int ng_pkt(git_pkt **out, const char *line, size_t len)
 	memcpy(pkt->ref, line, len);
 	pkt->ref[len] = '\0';
 
+	if (len < 1)
+		goto out_err;
 	line = ptr + 1;
-	if (!(ptr = strchr(line, '\n')))
+	len -= 1;
+	if (!(ptr = memchr(line, '\n', len)))
 		goto out_err;
 	len = ptr - line;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.