CVE-2020-12279

An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.

Database specific

{
    "unresolved_ranges": [
        {
            "vendor_product": "debian:debian_linux",
            "extracted_events": [
                {
                    "last_affected": "9.0"
                }
            ],
            "source": "CPE_STRING",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ]
        }
    ]
}

References

Affected packages

Git / github.com/libgit2/libgit2

Affected ranges

Type

GIT

Repo

https://github.com/libgit2/libgit2

Events

Introduced

Fixed

106a5f27586504ea371528191f0ea3aac2ad432b

Fixed

64c612cc3e25eff5fb02c59ef5a66ba7a14751e4

Fixed

172239021f7ba04fe7327647b213799853a9eb89

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.28.4"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:*"
}

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.2.0

v0.21.0

v0.22.0

v0.22.0-rc1

v0.22.0-rc2

v0.23.0

v0.23.0-rc1

v0.23.0-rc2

v0.24.0

v0.24.0-rc1

v0.26.0

v0.26.0-rc1

v0.26.0-rc2

v0.27.0

v0.27.0-rc1

v0.27.0-rc2

v0.27.0-rc3

v0.28.0

v0.28.0-rc1

v0.28.1

v0.28.2

v0.28.3

v0.3.0

v0.8.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-12279.json"