CVE-2018-10887

moderate-risk
Published 2018-07-10

A flaw was found in libgit2 before version 0.27.3. It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.

Do I need to act?

-
0.26% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / LOW complexity

Affected Products (3)

Libgit2

Affected Vendors

Debian Libgit2

References (12)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1598021
Patch https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac...
Patch https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d...
Patch https://github.com/libgit2/libgit2/releases/tag/v0.27.3
Mailing List https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1598021
Patch https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac...
Patch https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d...
Patch https://github.com/libgit2/libgit2/releases/tag/v0.27.3
Mailing List https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
38
/ 100
moderate-risk
Severity 28/34 · Critical
Exploitability 1/34 · Minimal
Exposure 9/34 · Low