GHSA-22q8-ghmq-63vf
First published: Mon Feb 12 2024(Updated: )
The [libgit2](https://github.com/libgit2/libgit2/) project fixed three security issues in the 1.7.2 release. These issues are: * The `git_revparse_single` function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the `git2` crate via the [`Repository::revparse_single`](https://docs.rs/git2/latest/git2/struct.Repository.html#method.revparse_single) method. * The `git_index_add` function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the `git2` crate via the [`Index::add`](https://docs.rs/git2/latest/git2/struct.Index.html#method.add) method. * The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities. The `libgit2-sys` crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of `libgit2-sys` bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2. It is recommended that all users upgrade.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rust/libgit2-sys | <0.16.2 | 0.16.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-22q8-ghmq-63vf
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- collector/github-advisory
- package-manager/rust