Bug 2263095 (CVE-2024-24577) - CVE-2024-24577 libgit2: arbitrary code execution due to heap corruption in git_index_add
Summary: CVE-2024-24577 libgit2: arbitrary code execution due to heap corruption in gi...
Keywords:
Status: NEW
Alias: CVE-2024-24577
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2263096 2263097 2263098 2263099 2263100
Blocks: 2263090
TreeView+ depends on / blocked
 
Reported: 2024-02-07 00:47 UTC by Robb Gatica
Modified: 2024-02-19 05:33 UTC (History)
9 users (show)

Fixed In Version: libgit2 1.6.5, libgit2 1.7.2
Doc Type: ---
Doc Text:
A flaw was found in libgit2, a cross-platform, linkable library implementation of Git. A specially crafted payload to git_index_add can cause heap corruption that could be leveraged for arbitrary code execution. The attacker must be able to trigger two consecutive calls to git_index_add with a filename that starts with a / character to exploit this vulnerability. To control the heap corruption, the attacker must be able to control the ctime field of the git_index_entry data structure.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Robb Gatica 2024-02-07 00:47:24 UTC 
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

https://github.com/libgit2/libgit2/releases/tag/v1.6.5
https://github.com/libgit2/libgit2/releases/tag/v1.7.2
https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8
Comment 1 Robb Gatica 2024-02-07 00:52:58 UTC 
Created libgit2 tracking bugs for this issue:

Affects: fedora-all [bug 2263096]


Created rust tracking bugs for this issue:

Affects: epel-all [bug 2263098]
Affects: fedora-all [bug 2263099]


Created rust-libgit2-sys tracking bugs for this issue:

Affects: fedora-all [bug 2263100]
Note You need to log in before you can comment on or make changes to this bug.