Source: libgit2 Version: 1.7.1+ds-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1.5.1+ds-1
Hi, The following vulnerability was published for libgit2. CVE-2024-24575[0]: | libgit2 is a portable C implementation of the Git core methods | provided as a linkable library with a solid API, allowing to build | Git functionality into your application. Using well-crafted inputs | to `git_revparse_single` can cause the function to enter an infinite | loop, potentially causing a Denial of Service attack in the calling | application. The revparse function in `src/libgit2/revparse.c` uses | a loop to parse the user-provided spec string. There is an edge-case | during parsing that allows a bad actor to force the loop conditions | to access arbitrary memory. Potentially, this could also leak memory | if the extracted rev spec is reflected back to the attacker. As | such, libgit2 versions before 1.4.0 are not affected. Users should | upgrade to version 1.6.5 or 1.7.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24575 https://www.cve.org/CVERecord?id=CVE-2024-24575 [1] https://github.com/libgit2/libgit2/security/advisories/GHSA-54mf-x2rh-hq9v [2] https://github.com/libgit2/libgit2/commit/c9d31b711e8906cf248566f43142f20b03e20cbf [3] https://github.com/libgit2/libgit2/commit/7f6f3dff9c41f3be7598693aa3c716c8354fba7f Regards, Salvatore