CVE-2020-12279
First published: Mon Apr 27 2020(Updated: )
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/libgit2 | <=0.27.7+dfsg.1-0.2 | 0.27.7+dfsg.1-0.2+deb10u2 1.1.0+dfsg.1-4+deb11u1 1.1.0+dfsg.1-4+deb11u2 1.5.1+ds-1 1.5.1+ds-1+deb12u1 1.7.2+ds-1 |
| ubuntu/libgit2 | <0.26.0+dfsg.1-1.1ubuntu0.2+ | 0.26.0+dfsg.1-1.1ubuntu0.2+ |
| ubuntu/libgit2 | <0.28.4<0.99.0 | 0.28.4 0.99.0 |
| ubuntu/libgit2 | <0.24.1-2ubuntu0.2+ | 0.24.1-2ubuntu0.2+ |
| libgit2 | <0.28.4 | |
| Debian GNU/Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
- https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4
- https://github.com/libgit2/libgit2/releases/tag/v0.28.4
- https://github.com/libgit2/libgit2/releases/tag/v0.99.0
- https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
- https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
- https://launchpad.net/bugs/cve/CVE-2020-12279
- https://security-tracker.debian.org/tracker/CVE-2020-12279
- https://ubuntu.com/security/notices/USN-6678-1
- https://www.cve.org/CVERecord?id=CVE-2020-12279
- https://nvd.nist.gov/vuln/detail/CVE-2020-12279
- https://ubuntu.com/security/CVE-2020-12279
Frequently Asked Questions
What is CVE-2020-12279?
CVE-2020-12279 is a vulnerability discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0 that mishandles equivalent filenames that exist because of NTFS short names, potentially allowing remote code execution when cloning a repository.
What is the severity of CVE-2020-12279?
The severity of CVE-2020-12279 is critical, with a severity score of 9.8.
How does CVE-2020-12279 affect Libgit2?
CVE-2020-12279 affects Libgit2 versions before 0.28.4 and 0.9x before 0.99.0 by mishandling equivalent filenames due to NTFS short names, which could lead to remote code execution during repository cloning.
How can I fix CVE-2020-12279?
To fix CVE-2020-12279, update Libgit2 to version 0.28.4 or later.
Are there any references for CVE-2020-12279?
Yes, here are some references for CVE-2020-12279: - [GitHub Security Advisory](https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v) - [Libgit2 Commit](https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4) - [Libgit2 Releases](https://github.com/libgit2/libgit2/releases/tag/v0.28.4)
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/author
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/tags
- collector/nvd-index
- agent/softwarecombine
- package-manager/debian
- package-manager/ubuntu
- vendor/libgit2
- canonical/libgit2
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0