From da4911ca94b4a51f2046c3736afb87632a7d865a Mon Sep 17 00:00:00 2001 From: Eric Huss Date: Fri, 9 Feb 2024 18:45:39 -0800 Subject: [PATCH] Add advisory for libgit2-sys (#1879) * Add advisory for libgit2-sys * Fix function prefix. * Remove empty affected table --- crates/libgit2-sys/RUSTSEC-0000-0000.md | 30 +++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 crates/libgit2-sys/RUSTSEC-0000-0000.md diff --git a/crates/libgit2-sys/RUSTSEC-0000-0000.md b/crates/libgit2-sys/RUSTSEC-0000-0000.md new file mode 100644 index 0000000..bff55a8 --- /dev/null +++ b/crates/libgit2-sys/RUSTSEC-0000-0000.md @@ -0,0 +1,30 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "libgit2-sys" +date = "2024-02-06" +url = "https://github.com/rust-lang/git2-rs/pull/1017" +references = ["https://github.com/libgit2/libgit2/releases/tag/v1.7.2"] +categories = ["denial-of-service", "code-execution", "memory-corruption"] +cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" +related = ["GHSA-j2v7-4f6v-gpg8", "CVE-2024-24577", "GHSA-54mf-x2rh-hq9v", "CVE-2024-24575"] + +[affected.functions] +"libgit2_sys::git_revparse_single" = ["< 0.16.2, >= 0.13.0"] +"libgit2_sys::git_index_add" = ["< 0.16.2"] + +[versions] +patched = [">= 0.16.2"] +``` + +# Memory corruption, denial of service, and arbitrary code execution in libgit2 + +The [libgit2](https://github.com/libgit2/libgit2/) project fixed three security issues in the 1.7.2 release. These issues are: + +* The `git_revparse_single` function can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in the `git2` crate via the [`Repository::revparse_single`](https://docs.rs/git2/latest/git2/struct.Repository.html#method.revparse_single) method. +* The `git_index_add` function may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in the `git2` crate via the [`Index::add`](https://docs.rs/git2/latest/git2/struct.Index.html#method.add) method. +* The smart transport negotiation may experience an out-of-bounds read when a remote server did not advertise capabilities. + +The `libgit2-sys` crate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release of `libgit2-sys` bundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2. + +It is recommended that all users upgrade.