RUSTSEC-2024-0013
- Source
- https://rustsec.org/advisories/RUSTSEC-2024-0013
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0013.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2024-0013
- Aliases
- Related
- Published
- 2024-02-06T12:00:00Z
- Modified
- 2024-02-15T01:26:53.398583Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- Memory corruption, denial of service, and arbitrary code execution in libgit2
- Details
-
The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:
- The
git_revparse_singlefunction can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in thegit2crate via theRepository::revparse_singlemethod. - The
git_index_addfunction may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in thegit2crate via theIndex::addmethod. - The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.
The
libgit2-syscrate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release oflibgit2-sysbundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.It is recommended that all users upgrade.
- The
- References
Affected packages
crates.io / libgit2-sys
Package
- Name
- libgit2-sys
- View open source insights on deps.dev
- Purl
- pkg:cargo/libgit2-sys