The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:
git_revparse_single
function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2
crate via the Repository::revparse_single
method.git_index_add
function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2
crate via the Index::add
method.The libgit2-sys
crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys
bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.
It is recommended that all users upgrade.
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-02-12T15:42:14Z" }