GHSA-22q8-ghmq-63vf

Source

https://github.com/advisories/GHSA-22q8-ghmq-63vf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-22q8-ghmq-63vf/GHSA-22q8-ghmq-63vf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-22q8-ghmq-63vf

Aliases

RUSTSEC-2024-0013

Published

2024-02-12T15:42:14Z

Modified

2024-02-15T01:26:53.398583Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

libgit2-sys affected by memory corruption, denial of service, and arbitrary code execution in libgit2

Details

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:

The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.

It is recommended that all users upgrade.

References

Affected packages

crates.io / libgit2-sys

Package

Name: libgit2-sys; View open source insights on deps.dev
Purl: pkg:cargo/libgit2-sys

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.16.2

Ecosystem specific

{
    "affected_functions": [
        "libgit2_sys::git_index_add",
        "libgit2_sys::git_revparse_single"
    ]
}