An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
{ "vanir_signatures": [ { "id": "CVE-2020-12278-77fe0a52", "signature_type": "Line", "digest": { "line_hashes": [ "108193159272336527294922498355120781778", "168696676604906338760080497384714187929" ], "threshold": 0.9 }, "target": { "file": "tests/path/dotgit.c" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb" }, { "id": "CVE-2020-12278-bc8b0a39", "signature_type": "Line", "digest": { "line_hashes": [ "67643414561346827047252582287335553368", "161775868457229572254969846233468835126", "300749777448919314626617997008976429146" ], "threshold": 0.9 }, "target": { "file": "tests/checkout/nasty.c" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01" }, { "id": "CVE-2020-12278-bf7ab8fe", "signature_type": "Function", "digest": { "function_hash": "138464184776582813693965786405820629166", "length": 635.0 }, "target": { "file": "src/path.c", "function": "verify_dotgit_ntfs" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01" }, { "id": "CVE-2020-12278-c12fb24b", "signature_type": "Function", "digest": { "function_hash": "215952766853611671430221167949782745440", "length": 344.0 }, "target": { "file": "tests/path/dotgit.c", "function": "test_path_dotgit__dotgit_modules_symlink" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb" }, { "id": "CVE-2020-12278-d524c03b", "signature_type": "Line", "digest": { "line_hashes": [ "207333267718056996405747804506618814446", "232915964967517859136355871988975093200", "206563144425427101112601160652327453230", "278549392676235406755515526898783769056" ], "threshold": 0.9 }, "target": { "file": "src/path.c" }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01" } ] }