Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-12279: Release libgit2 v0.28.4 · libgit2/libgit2

An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.

CVE
#vulnerability#windows#git#rce#ssh

This is a security release fixing the following issues:

  • CVE-2019-1348: the fast-import stream command “feature
    export-marks=path” allows writing to arbitrary file paths. As
    libgit2 does not offer any interface for fast-import, it is not
    susceptible to this vulnerability.

  • CVE-2019-1349: by using NTFS 8.3 short names, backslashes or
    alternate filesystreams, it is possible to cause submodules to
    be written into pre-existing directories during a recursive
    clone using git. As libgit2 rejects cloning into non-empty
    directories by default, it is not susceptible to this
    vulnerability.

  • CVE-2019-1350: recursive clones may lead to arbitrary remote
    code executing due to improper quoting of command line
    arguments. As libgit2 uses libssh2, which does not require us
    to perform command line parsing, it is not susceptible to this
    vulnerability.

  • CVE-2019-1351: Windows provides the ability to substitute
    drive letters with arbitrary letters, including multi-byte
    Unicode letters. To fix any potential issues arising from
    interpreting such paths as relative paths, we have extended
    detection of DOS drive prefixes to accomodate for such cases.

  • CVE-2019-1352: by using NTFS-style alternative file streams for
    the “.git” directory, it is possible to overwrite parts of the
    repository. While this has been fixed in the past for Windows,
    the same vulnerability may also exist on other systems that
    write to NTFS filesystems. We now reject any paths starting
    with “.git:” on all systems.

  • CVE-2019-1353: by using NTFS-style 8.3 short names, it was
    possible to write to the “.git” directory and thus overwrite
    parts of the repository, leading to possible remote code
    execution. While this problem was already fixed in the past for
    Windows, other systems accessing NTFS filesystems are
    vulnerable to this issue too. We now enable NTFS protecions by
    default on all systems to fix this attack vector.

  • CVE-2019-1354: on Windows, backslashes are not a valid part of
    a filename but are instead interpreted as directory separators.
    As other platforms allowed to use such paths, it was possible
    to write such invalid entries into a Git repository and was
    thus an attack vector to write into the “.git” dierctory. We
    now reject any entries starting with “.git” on all systems.

  • CVE-2019-1387: it is possible to let a submodule’s git
    directory point into a sibling’s submodule directory, which may
    result in overwriting parts of the Git repository and thus lead
    to arbitrary command execution. As libgit2 doesn’t provide any
    way to do submodule clones natively, it is not susceptible to
    this vulnerability. Users of libgit2 that have implemented
    recursive submodule clones manually are encouraged to review
    their implementation for this vulnerability.

Related news

Ubuntu Security Notice USN-6678-1

Ubuntu Security Notice 6678-1 - It was discovered that libgit2 mishandled equivalent filenames on NTFS partitions. If a user or automated system were tricked into cloning a specially crafted repository, an attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that libgit2 did not perform certificate checking by default. An attacker could possibly use this issue to perform a machine-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907