Bug 1219660 (CVE-2024-24577)

Summary: VUL-0: CVE-2024-24577: git,libgit2: arbitrary code execution due to heap corruption in git_index_add
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Scott Bradnick <scott.bradnick>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: antonio.teixeira, camila.matos, carlos.lopez, danilo.spinella, meissner, sreeves
Version: unspecifiedFlags: camila.matos: needinfo? (antonio.teixeira)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/393299/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-24577:8.6:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-07 08:43:06 UTC 
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24577
https://github.com/libgit2/libgit2/releases/tag/v1.6.5
https://github.com/libgit2/libgit2/releases/tag/v1.7.2
https://www.cve.org/CVERecord?id=CVE-2024-24577
https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8
https://bugzilla.redhat.com/show_bug.cgi?id=2263095
Comment 2 Andreas Stieger 2024-02-07 19:59:47 UTC 
https://build.opensuse.org/request/show/1144998
Comment 3 Marcus Meissner 2024-05-19 18:53:37 UTC 
libgit2 affected everywhere.

git has it in read-cache.c, and it looks similar affected in 2.25.2 in SLE12.
also 2.43.0 still looks affected in SLE15 SP6.
Comment 10 Andreas Stieger 2024-07-12 14:33:10 UTC 
camila.matos@suse.com set the needinfo flag on me, and I assume this was done in combination with a comment marked private. (There are 5 private comments before bug 1219664 comment #3) If you wish to engage with a volunteer community member, feel free to do so with public comments. If this is for anything other than openSUSE, through, please contact the SUSE bug assignee or the SUSE Product Security team.
Comment 11 Camila Camargo de Matos 2024-07-12 16:12:41 UTC 
(In reply to Andreas Stieger from comment #10)
> camila.matos@suse.com set the needinfo flag on me, and I assume this was
> done in combination with a comment marked private. (There are 5 private
> comments before bug 1219664 comment #3) If you wish to engage with a
> volunteer community member, feel free to do so with public comments. If this
> is for anything other than openSUSE, through, please contact the SUSE bug
> assignee or the SUSE Product Security team.

My apologies, it was my mistake. There is no need to worry about the original needinfo request, as I have already adjusted it. Thanks for the answer!
Comment 12 Scott Reeves 2024-07-15 23:38:12 UTC 
Scott B. - can you take this one for the libgit2 update. For SLE-15-SP6 the update to 1.7.2 needed for 1219664 will cover this. For the other products a backport will likely be necessary.