CVE-2020-12279

Description

An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.

References

https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html

https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html

https://github.com/libgit2/libgit2/releases/tag/v0.99.0

https://github.com/libgit2/libgit2/releases/tag/v0.28.4

https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4

https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3