Fedora Account System
Red Hat Associate
Red Hat Customer
An issue was discovered in libgit2 where checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is the libgit2 variant of CVE-2019-1353. https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4 https://github.com/libgit2/libgit2/releases/tag/v0.28.4 https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Created libgit2 tracking bugs for this issue: Affects: epel-all [bug 1829423] Affects: fedora-all [bug 1829425] Created libgit2:0.26/libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1829427] Created libgit2:0.27/libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1829429] Created libgit2:0.28/libgit2 tracking bugs for this issue: Affects: fedora-all [bug 1829432]
Statement: Even if the code in the versions of libgit2 as shipped with Red Hat Enterprise Linux 7, and 8 are affected by this flaw, Red Hat does not support the NTFS filesystem nor Windows Subsystem for Linux (WSL). For this reason, the flaw has a Low Impact.