{"id":"CVE-2016-10129","details":"The Git Smart Protocol support in libgit2 before 0.24.6 and 0.25.x before 0.25.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via an empty packet line.","modified":"2026-04-11T03:36:56.314554Z","published":"2017-03-24T15:59:00.230Z","related":["MGASA-2017-0319","SUSE-SU-2017:0433-1","openSUSE-SU-2017:0405-1"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/95339"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2017-02/msg00030.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2017-02/msg00036.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2017/01/11/6"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037"},{"type":"FIX","url":"https://libgit2.github.com/security/"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2017/01/10/5"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libgit2/libgit2","events":[{"introduced":"0"},{"last_affected":"428e18f8d4765b8ad6cf4022080a81ab16f6fdc4"},{"introduced":"0"},{"last_affected":"75db289a041b1f1084768244e167b953ac7eeaa5"},{"introduced":"0"},{"last_affected":"a6763ff93aed9a1486c4f84d77151ff57dd4795e"},{"introduced":"0"},{"last_affected":"75db289a041b1f1084768244e167b953ac7eeaa5"},{"fixed":"2fdef641fd0dd2828bd948234ae86de75221a11a"},{"fixed":"84d30d569ada986f3eef527cbdb932643c2dd037"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.24.5"},{"introduced":"0"},{"last_affected":"0.25.0"},{"introduced":"0"},{"last_affected":"0.25.0-rc1"},{"introduced":"0"},{"last_affected":"0.25.0-rc2"}]}}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.2.0","v0.21.0","v0.22.0","v0.22.0-rc1","v0.22.0-rc2","v0.23.0","v0.23.0-rc1","v0.23.0-rc2","v0.24.0","v0.24.0-rc1","v0.24.1","v0.24.2","v0.24.3","v0.24.4","v0.24.5","v0.25.0","v0.25.0-rc1","v0.25.0-rc2","v0.3.0","v0.8.0"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a","digest":{"function_hash":"281870942429809697964233429407479786064","length":1554},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_pkt.c","function":"git_pkt_parse_line"},"id":"CVE-2016-10129-13623382"},{"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037","digest":{"function_hash":"11998386278566652511447441156810463108","length":767},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_protocol.c","function":"add_push_report_sideband_pkt"},"id":"CVE-2016-10129-195a9e9d"},{"signature_type":"Line","source":"https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037","digest":{"threshold":0.9,"line_hashes":["152246948140881630936620450931454110309","16811967277530017021368320486600957734","292879344649057299944075837653643135603","298549967763928690655120293789489243655","1351908264529889708827696681179913415","209556476821616921868639732362087551565","4717289514444315326256119004573329260","31197857794155343171574802300529497082","49883739687684654055446185609463295700","209343592385465559184471154071075468438"]},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_protocol.c"},"id":"CVE-2016-10129-32280dec"},{"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a","digest":{"function_hash":"72184853542100227498318633168291035819","length":774},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_protocol.c","function":"add_push_report_sideband_pkt"},"id":"CVE-2016-10129-3da35acb"},{"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037","digest":{"function_hash":"281870942429809697964233429407479786064","length":1554},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_pkt.c","function":"git_pkt_parse_line"},"id":"CVE-2016-10129-6b0895d6"},{"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a","digest":{"function_hash":"135059002852762528863613157248762657959","length":1360},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_protocol.c","function":"parse_report"},"id":"CVE-2016-10129-74a8fb91"},{"signature_type":"Line","source":"https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a","digest":{"threshold":0.9,"line_hashes":["101839755603793106290328484701736422963","293975838795653773247296107534766666266","34812744770404104391051262345145744343","313420562608858859424183210121050054975","169105847764280994761539095595198651178","22445389468608118118616150183562509198","59273898729997772823423609055344856504"]},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_pkt.c"},"id":"CVE-2016-10129-915a9770"},{"signature_type":"Line","source":"https://github.com/libgit2/libgit2/commit/2fdef641fd0dd2828bd948234ae86de75221a11a","digest":{"threshold":0.9,"line_hashes":["152246948140881630936620450931454110309","16811967277530017021368320486600957734","292879344649057299944075837653643135603","298549967763928690655120293789489243655","1351908264529889708827696681179913415","209556476821616921868639732362087551565","4717289514444315326256119004573329260","31197857794155343171574802300529497082","49883739687684654055446185609463295700","209343592385465559184471154071075468438"]},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_protocol.c"},"id":"CVE-2016-10129-9c8e013c"},{"signature_type":"Line","source":"https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037","digest":{"threshold":0.9,"line_hashes":["101839755603793106290328484701736422963","293975838795653773247296107534766666266","34812744770404104391051262345145744343","313420562608858859424183210121050054975","169105847764280994761539095595198651178","22445389468608118118616150183562509198","59273898729997772823423609055344856504"]},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_pkt.c"},"id":"CVE-2016-10129-c97927a5"},{"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/84d30d569ada986f3eef527cbdb932643c2dd037","digest":{"function_hash":"135059002852762528863613157248762657959","length":1360},"deprecated":false,"signature_version":"v1","target":{"file":"src/transports/smart_protocol.c","function":"parse_report"},"id":"CVE-2016-10129-cd5e456d"}],"vanir_signatures_modified":"2026-04-11T03:36:56Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10129.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}