An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
{ "vanir_signatures": [ { "digest": { "length": 187.0, "function_hash": "334228689799873034616583224043572814311" }, "target": { "function": "only_spaces_and_dots", "file": "src/path.c" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2020-12278-057b646f", "source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb", "deprecated": false }, { "digest": { "line_hashes": [ "108193159272336527294922498355120781778", "168696676604906338760080497384714187929" ], "threshold": 0.9 }, "target": { "file": "tests/path/dotgit.c" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-12278-77fe0a52", "source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb", "deprecated": false }, { "digest": { "line_hashes": [ "67643414561346827047252582287335553368", "161775868457229572254969846233468835126", "300749777448919314626617997008976429146" ], "threshold": 0.9 }, "target": { "file": "tests/checkout/nasty.c" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-12278-bc8b0a39", "source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01", "deprecated": false }, { "digest": { "length": 635.0, "function_hash": "138464184776582813693965786405820629166" }, "target": { "function": "verify_dotgit_ntfs", "file": "src/path.c" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2020-12278-bf7ab8fe", "source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01", "deprecated": false }, { "digest": { "length": 344.0, "function_hash": "215952766853611671430221167949782745440" }, "target": { "function": "test_path_dotgit__dotgit_modules_symlink", "file": "tests/path/dotgit.c" }, "signature_version": "v1", "signature_type": "Function", "id": "CVE-2020-12278-c12fb24b", "source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb", "deprecated": false }, { "digest": { "line_hashes": [ "207333267718056996405747804506618814446", "232915964967517859136355871988975093200", "206563144425427101112601160652327453230", "278549392676235406755515526898783769056" ], "threshold": 0.9 }, "target": { "file": "src/path.c" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-12278-d524c03b", "source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01", "deprecated": false }, { "digest": { "line_hashes": [ "115313385144348768602035450890856830614", "71630582082332557933362078827281385895", "41060068646927360613742676298274082445", "335105883863474486117359305112049561000" ], "threshold": 0.9 }, "target": { "file": "src/path.c" }, "signature_version": "v1", "signature_type": "Line", "id": "CVE-2020-12278-f9a09ad1", "source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb", "deprecated": false } ] }