An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
[
{
"digest": {
"function_hash": "54554569915003734768761110712720175172",
"length": 109.0
},
"id": "CVE-2020-12279-18c21614",
"target": {
"function": "test_checkout_nasty__git_tilde1",
"file": "tests/checkout/nasty.c"
},
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"34151097703912068279059189515774524754",
"640971338307182747042490539310138101",
"261090504824042527251622828911835319539",
"190820267254834495437436494656192599698",
"109452042279548290592481542638704603152",
"183873679057880809488074463187073290050"
]
},
"id": "CVE-2020-12279-577666bb",
"target": {
"file": "tests/checkout/nasty.c"
},
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4",
"deprecated": false
},
{
"digest": {
"function_hash": "270919345757994032373988505154932358300",
"length": 636.0
},
"id": "CVE-2020-12279-9b82710e",
"target": {
"function": "checkout_verify_paths",
"file": "src/checkout.c"
},
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"91163887863019740474463251087811095055",
"163293920236655175007224761102751500986",
"304947559022233408970519915295579978259",
"337098278619693989970552484739974126394"
]
},
"id": "CVE-2020-12279-fa1bf32c",
"target": {
"file": "src/checkout.c"
},
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4",
"deprecated": false
}
]