CVE-2024-24577

EUVD-2024-21982
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
GitHub_MCNA
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
libgit2libgit2
𝑥
< 1.6.5
libgit2libgit2
1.7.0 ≤
𝑥
< 1.7.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libgit2
bookworm
1.5.1+ds-1+deb12u1
fixed
bookworm (security)
1.5.1+ds-1+deb12u1
fixed
bullseye
1.1.0+dfsg.1-4+deb11u2
fixed
bullseye (security)
1.1.0+dfsg.1-4+deb11u2
fixed
forky
1.9.1+ds-1
fixed
sid
1.9.2+ds-2
fixed
trixie
1.9.0+ds-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libgit2
bionic
Fixed 0.26.0+dfsg.1-1.1ubuntu0.2+esm1
released
focal
Fixed 0.28.4+dfsg.1-2ubuntu0.1
released
jammy
Fixed 1.1.0+dfsg.1-4.1ubuntu0.1
released
mantic
Fixed 1.5.1+ds-1ubuntu1.1
released
noble
not-affected
oracular
not-affected
plucky
not-affected
questing
not-affected
trusty
needed
xenial
Fixed 0.24.1-2ubuntu0.2+esm2
released
Common Weakness Enumeration
References
https://github.com/libgit2/libgit2/releases/tag/v1.6.5
https://github.com/libgit2/libgit2/releases/tag/v1.7.2
https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8
https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/
https://github.com/libgit2/libgit2/releases/tag/v1.6.5
https://github.com/libgit2/libgit2/releases/tag/v1.7.2
https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8
https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S635BGHHZUMRPI7QOXOJ45QHDD5FFZ3S/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z6MXOX7I43OWNN7R6M54XLG6U5RXY244/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGNHOEE2RBLH7KCJUPUNYG4CDTW4HTBT/