CVE-2022-0393 Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
Due to a flaw in libgit2, it was possible to trigger a denial-of-service (DoS) attack on GitHub repositories by requesting maliciously-crafted remote repos. libgit2 is the distributed version control system (DVCS) library that libgit2-dev is the package dependency.
Prior to the release of libgit2 version 1.14.0, a remote DoS attack could be launched against repositories on GitHub by requesting a maliciously crafted Git repository.
In the libgit2 package, there was a vulnerability in version 1.14.0 for Red Hat Enterprise Linux 7 that could lead to a Denial-of-Service (DoS) attack against GitHub repositories. This issue has been fixed in version 1.19.2. Red Hat does not recommend updating to this version, as it is a security release. Instead, Red Hat recommends updating the libgit2 package, as detailed below.
Libgit2 package required for updating
The libgit2 package required for updating to version 1.19.2 is libgit2-dev 2.18.0-1 or higher
If you are running a previous version of the libgit2 package, update it to the latest available version 2.18.0-1 or higher first before updating to the latest version of libgit2 in order to prevent any issues.
How to update libgit2 on Red Hat Enterprise Linux 7
You should update to version 1.19.2 of libgit2 on Red Hat Enterprise Linux 7 in order to mitigate the vulnerability that was addressed by this security release.
To update:
yum -y update libgit2-1*
or, for more detail on what's updated and how, refer to the changelog:
yum -y --changelog libgit2-1*
Update libgit2 to version 1.19.2
To update the libgit2 package, use the following command:
yum update libgit2
Timeline
Published on: 01/28/2022 22:15:00 UTC
Last modified on: 08/21/2022 08:15:00 UTC
References
- https://huntr.dev/bounties/ecc8f488-01a0-477f-848f-e30b8e524bba
- https://github.com/vim/vim/commit/a4bc2dd7cccf5a4a9f78b58b6f35a45d17164323
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/
- https://security.gentoo.org/glsa/202208-32
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0393