Reported

February 6, 2024

Issued

February 9, 2024 (last modified: February 14, 2024)

Package

libgit2-sys (crates.io)

Type

Vulnerability

Categories

• denial-of-service
• code-execution
• memory-corruption

Aliases

• GHSA-22q8-ghmq-63vf

References

• https://github.com/rust-lang/git2-rs/pull/1017
• https://github.com/libgit2/libgit2/releases/tag/v1.7.2

Related

• CVE-2024-24575
• CVE-2024-24577
• GHSA-54mf-x2rh-hq9v
• GHSA-j2v7-4f6v-gpg8

CVSS Score

8.6 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Patched

• >=0.16.2

Affected Functions

Version

libgit2_sys::git_index_add

• <0.16.2

libgit2_sys::git_revparse_single

• <0.16.2, >=0.13.0

Description

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:

• The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
• The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
• The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.

It is recommended that all users upgrade.

Advisory available under CC0-1.0 license.