An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
{ "vanir_signatures": [ { "id": "CVE-2020-12279-18c21614", "signature_type": "Function", "digest": { "function_hash": "54554569915003734768761110712720175172", "length": 109.0 }, "source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4", "target": { "file": "tests/checkout/nasty.c", "function": "test_checkout_nasty__git_tilde1" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2020-12279-577666bb", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "34151097703912068279059189515774524754", "640971338307182747042490539310138101", "261090504824042527251622828911835319539", "190820267254834495437436494656192599698", "109452042279548290592481542638704603152", "183873679057880809488074463187073290050" ] }, "source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4", "target": { "file": "tests/checkout/nasty.c" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2020-12279-9b82710e", "signature_type": "Function", "digest": { "function_hash": "270919345757994032373988505154932358300", "length": 636.0 }, "source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4", "target": { "file": "src/checkout.c", "function": "checkout_verify_paths" }, "deprecated": false, "signature_version": "v1" }, { "id": "CVE-2020-12279-fa1bf32c", "signature_type": "Line", "digest": { "threshold": 0.9, "line_hashes": [ "91163887863019740474463251087811095055", "163293920236655175007224761102751500986", "304947559022233408970519915295579978259", "337098278619693989970552484739974126394" ] }, "source": "https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4", "target": { "file": "src/checkout.c" }, "deprecated": false, "signature_version": "v1" } ] }