Vulnerability Description
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libgit2 | Libgit2 | < 1.6.5 |
Related Weaknesses (CWE)
References
- https://github.com/libgit2/libgit2/releases/tag/v1.6.5Release Notes
- https://github.com/libgit2/libgit2/releases/tag/v1.7.2Release Notes
- https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://github.com/libgit2/libgit2/releases/tag/v1.6.5Release Notes
- https://github.com/libgit2/libgit2/releases/tag/v1.7.2Release Notes
- https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html
- https://lists.fedoraproject.org/archives/list/[email protected]
- https://lists.fedoraproject.org/archives/list/[email protected]
FAQ
What is CVE-2024-24577?
CVE-2024-24577 is a vulnerability with a CVSS score of 8.6 (HIGH). libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to ...
How severe is CVE-2024-24577?
CVE-2024-24577 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-24577?
Check the references section above for vendor advisories and patch information. Affected products include: Libgit2 Libgit2.