#VU32001 NULL pointer dereference in libgit2 - CVE-2016-10129


| Updated: 2023-01-22

Vulnerability identifier: #VU32001

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-10129

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libgit2
Universal components / Libraries / Libraries used by multiple products

Vendor: libgit2.github.com

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via an empty packet line.

Mitigation
Install update from vendor's website.

Vulnerable software versions

libgit2: 0.24.4.0 - 0.25.1.0

External links
https://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html
https://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html
https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html
https://www.openwall.com/lists/oss-security/2017/01/10/5
https://www.openwall.com/lists/oss-security/2017/01/11/6
https://www.securityfocus.com/bid/95339
https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a
https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037
https://libgit2.github.com/security/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


NULL pointer dereference in libgit2-1.0 (Alpine package)
NULL pointer dereference in libgit2.github.com libgit2
Fedora EPEL 7 update for libgit2
NULL pointer dereference in libgit2-0.27 (Alpine package)
Arch Linux update for libgit2
Fedora 24 update for libgit2
Fedora 25 update for libgit2