CVE-2024-24577Heap-based Buffer Overflow in Libgit2

CWE-122Heap-based Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents6 sources
Severity
9.8CRITICALNVD
EPSS
0.4%
top 40.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Libgit2Debian Libgit2Msrc Azl3 Rust 1.75.0-14 ON Azure Linux 3.0+4 more
Timeline
PublishedFeb 6
Latest updateMar 5

Description

libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlle

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

debiandebian/libgit2< libgit2 1.5.1+ds-1+deb12u1 (bookworm)
NVDlibgit2/libgit21.7.01.7.2+1
Debianlibgit2/libgit2< 1.1.0+dfsg.1-4+deb11u2+3
Ubuntulibgit2/libgit2< 0.28.4+dfsg.1-2ubuntu0.1+3
CVEListV5libgit2/libgit2>= 1.7.0, < 1.7.2

🔴Vulnerability Details

2
OSV
libgit2 vulnerabilities2024-03-05
OSV
CVE-2024-24577: libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality in2024-02-06

📋Vendor Advisories

4
Ubuntu
libgit2 vulnerabilities2024-03-05
Microsoft
libgit2 is vulnerable to arbitrary code execution due to heap corruption in `git_index_add`2024-02-13
Red Hat
libgit2: arbitrary code execution due to heap corruption in git_index_add2024-02-06
Debian
CVE-2024-24577: libgit2 - libgit2 is a portable C implementation of the Git core methods provided as a lin...2024