Fedora Account System
Red Hat Associate
Red Hat Customer
An issue was discovered in libgit2 where path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is the libgit2 variant of CVE-2019-1352. References: https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01 https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb https://github.com/libgit2/libgit2/releases/tag/v0.28.4 https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Statement: Even if the code in the versions of libgit2 as shipped with Red Hat Enterprise Linux 7, and 8 are affected by this flaw, Red Hat does not support the NTFS filesystem. For this reason, the flaw has a Low Impact.
Created libgit2 tracking bugs for this issue: Affects: epel-all [bug 1829422] Affects: fedora-all [bug 1829424] Created libgit2:0.26/libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1829426] Created libgit2:0.27/libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1829428] Created libgit2:0.28/libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1829431]