Bugzilla – Bug 1219664
VUL-0: CVE-2024-24575: git,libgit2: potential infinite loop condition in git_revparse_single()
Last modified: 2024-07-17 14:01:28 UTC
libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-24575 https://github.com/libgit2/libgit2/commit/add2dabb3c16aa49b33904dcdc07cd915efc12fa https://github.com/libgit2/libgit2/releases/tag/v1.6.5 https://github.com/libgit2/libgit2/releases/tag/v1.7.2 https://github.com/libgit2/libgit2/security/advisories/GHSA-54mf-x2rh-hq9v https://www.cve.org/CVERecord?id=CVE-2024-24575 https://bugzilla.redhat.com/show_bug.cgi?id=2263092
https://build.opensuse.org/request/show/1144998
Andreas, you used the wrong cve in the submit, can you fix it and resubmit
(24574 instead of 24575)
https://build.opensuse.org/request/show/1145384
only SUSE:SLE-15-SP6:Update libgit2 is affected. git seems not to have this code pattern.
camila.matos@suse.com set the needinfo flag on me, and I assume this was done in combination with a comment marked private. If you wish to engage with a volunteer community member, feel free to do so with public comments. If this is for anything other than openSUSE, through, please contact the SUSE bug assignee or the SUSE Product Security team.
(In reply to Andreas Stieger from comment #10) > camila.matos@suse.com set the needinfo flag on me, and I assume this was > done in combination with a comment marked private. If you wish to engage > with a volunteer community member, feel free to do so with public comments. > If this is for anything other than openSUSE, through, please contact the > SUSE bug assignee or the SUSE Product Security team. My apologies, it was my mistake. There is no need to worry about the original needinfo request, as I have already adjusted it. Thanks for the answer!
Scott B. - Can you take this one and submit an upgrade from 1.7.1 to 1.7.2. This is a minor version bump with no changes except for bugfix so we don't need an ECO.
(In reply to Scott Reeves from comment #12) > Scott B. - Can you take this one and submit an upgrade from 1.7.1 to 1.7.2. > This is a minor version bump with no changes except for bugfix so we don't > need an ECO. I've submitted an update to v1.7.2 via https://build.suse.de/request/show/339133 for SUSE:SLE-15-SP6:Update