RUSTSEC-2024-0013

Source
https://rustsec.org/advisories/RUSTSEC-2024-0013
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0013.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2024-0013
Aliases
Related
Published
2024-02-06T12:00:00Z
Modified
2024-02-15T01:42:05.105395Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Memory corruption, denial of service, and arbitrary code execution in libgit2
Details

The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:

  • The git_revparse_single function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the git2 crate via the Repository::revparse_single method.
  • The git_index_add function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the git2 crate via the Index::add method.
  • The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2-sys crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of libgit2-sys bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.

It is recommended that all users upgrade.

References

Affected packages

crates.io / libgit2-sys

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.16.2

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "libgit2_sys::git_index_add",
            "libgit2_sys::git_revparse_single"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
    "informational": null,
    "categories": [
        "denial-of-service",
        "code-execution",
        "memory-corruption"
    ]
}