{"id":"CVE-2018-10887","details":"A flaw was found in libgit2 before version 0.27.3. It has been discovered that an unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.","modified":"2026-04-11T06:58:36.520820Z","published":"2018-07-10T14:29:00.260Z","related":["SUSE-SU-2018:2469-1","SUSE-SU-2018:3440-1","openSUSE-SU-2024:10943-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/08/msg00024.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1598021"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d22"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/releases/tag/v0.27.3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libgit2/libgit2","events":[{"introduced":"0"},{"fixed":"504bd54a2b57e8d606c63c00e5e15ea68a30bc5b"},{"fixed":"3f461902dc1072acb8b7607ee65d0a0458ffac2a"},{"fixed":"c1577110467b701dcbcf9439ac225ea851b47d22"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.27.3"}]}}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.2.0","v0.21.0","v0.22.0","v0.22.0-rc1","v0.22.0-rc2","v0.23.0","v0.23.0-rc1","v0.23.0-rc2","v0.24.0","v0.24.0-rc1","v0.26.0","v0.26.0-rc1","v0.26.0-rc2","v0.27.0","v0.27.0-rc1","v0.27.0-rc2","v0.27.0-rc3","v0.27.1","v0.27.2","v0.3.0","v0.8.0"],"database_specific":{"vanir_signatures_modified":"2026-04-11T06:58:36Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10887.json","vanir_signatures":[{"digest":{"length":1647,"function_hash":"50153901881954610807918949779039243924"},"deprecated":false,"id":"CVE-2018-10887-1585ab76","target":{"function":"git_delta_apply","file":"src/delta.c"},"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d22","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["93358178968321194831444214876825155984","153164923682411593608041793273404037304","33570991496418120927041558322251026310","25890608630727613520783049424086629885","8219917613978475874616252252903839753","157188723891115284879704770483038487554","159604477385763283317304130011059385784","81904769943703288569337594233540962291","112054984904375948736070256909490718514","165913531869763643342738475326403458842","137578180004472586807634081757936950735","248693588680834188084334061751426487955","44641286980390635702979826641543948021","282553991696690259056494778295165650355","167706338245615166082035964895252361564","23084315564040188015269456616744310927","329984421577273086786058054331424958785","188314240373868938705342051951699180651","236606851842754160901515092890706080877","276132694717688210291205250221461881669","142390257640951138957146834467012636402","87133306260567778534006037764680438181","24723767431555947822021443173930564179","125740413611477975180755802450891674951","126046746389768506668085498987763294456"]},"deprecated":false,"id":"CVE-2018-10887-45eb445f","target":{"file":"src/delta.c"},"signature_type":"Line","source":"https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a","signature_version":"v1"},{"digest":{"length":1630,"function_hash":"30479628900503576871371879598159361351"},"deprecated":false,"id":"CVE-2018-10887-52e70510","target":{"function":"git_delta_apply","file":"src/delta.c"},"signature_type":"Function","source":"https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["25890608630727613520783049424086629885","205307063431193828010410566590225596596","104755187980086926400873452967897138328","246214797780804558292486128338090090245","118319113467707406452273961369960474000","128397637477622903842078481926997632109","263241811020821181855373069697997938497","116704154704623022471621320862743374716","86420227134014276184589479866678038631"]},"deprecated":false,"id":"CVE-2018-10887-723ecc26","target":{"file":"src/delta.c"},"signature_type":"Line","source":"https://github.com/libgit2/libgit2/commit/c1577110467b701dcbcf9439ac225ea851b47d22","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["321298229990734240231701353982565208171","338340993582561346439169088761704448539","72631701717246723849238254513035996107"]},"deprecated":false,"id":"CVE-2018-10887-894982c6","target":{"file":"tests/diff/binary.c"},"signature_type":"Line","source":"https://github.com/libgit2/libgit2/commit/3f461902dc1072acb8b7607ee65d0a0458ffac2a","signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"}]}