CVE-2016-10130

The http_connect function in transports/http.c in libgit2 before 0.24.6 and 0.25.x before 0.25.1 might allow man-in-the-middle attackers to spoof servers by leveraging clobbering of the error variable.

References

Affected packages

Git / github.com/libgit2/libgit2

Affected ranges

Type: GIT
Repo: https://github.com/libgit2/libgit2
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22

Fixed

b5c6a1b407b7f8b952bded2789593b68b1876211

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v0.2.0

v0.20.0

v0.21.0

v0.21.0-rc1

v0.21.0-rc2

v0.22.0

v0.22.0-rc1

v0.22.0-rc2

v0.23.0

v0.23.0-rc1

v0.23.0-rc2

v0.24.0

v0.24.0-rc1

v0.24.1

v0.24.2

v0.24.3

v0.24.4

v0.24.5

v0.25.0

v0.25.0-rc1

v0.25.0-rc2

v0.3.0

v0.8.0

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "id": "CVE-2016-10130-38834b57",
        "target": {
            "file": "src/transports/http.c",
            "function": "http_connect"
        },
        "signature_version": "v1",
        "digest": {
            "function_hash": "318247992408900916298322585007822052541",
            "length": 1705.0
        },
        "deprecated": false,
        "source": "https://github.com/libgit2/libgit2/commit/b5c6a1b407b7f8b952bded2789593b68b1876211"
    },
    {
        "signature_type": "Line",
        "id": "CVE-2016-10130-bae22778",
        "target": {
            "file": "src/transports/http.c"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "41661622924679872820485924092865500866",
                "193636358063097759214999378978920200563",
                "283241526558171429306071759488049258192",
                "91166795071158107891136958663602337790",
                "51273040654368137999328432674070513002",
                "300264548954108489270359162159651110606",
                "72503220256604289807738209762998253897",
                "86526419933920457111589238345365215882"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/libgit2/libgit2/commit/b5c6a1b407b7f8b952bded2789593b68b1876211"
    },
    {
        "signature_type": "Function",
        "id": "CVE-2016-10130-e6d14d99",
        "target": {
            "file": "src/transports/http.c",
            "function": "http_connect"
        },
        "signature_version": "v1",
        "digest": {
            "function_hash": "886347240987743745827901455911811629",
            "length": 1411.0
        },
        "deprecated": false,
        "source": "https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22"
    },
    {
        "signature_type": "Line",
        "id": "CVE-2016-10130-ebebf2dd",
        "target": {
            "file": "src/transports/http.c"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "41661622924679872820485924092865500866",
                "193636358063097759214999378978920200563",
                "283241526558171429306071759488049258192",
                "91166795071158107891136958663602337790",
                "51273040654368137999328432674070513002",
                "300264548954108489270359162159651110606",
                "72503220256604289807738209762998253897",
                "86526419933920457111589238345365215882"
            ]
        },
        "deprecated": false,
        "source": "https://github.com/libgit2/libgit2/commit/9a64e62f0f20c9cf9b2e1609f037060eb2d8eb22"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10130.json"