Ethomson

**Name of the Vulnerable Software and Affected Versions** libgit2 versions prior to 1.6.5 libgit2 versions prior to 1.7.2 **Description** The issue is related to a heap corruption vulnerability in the `has dir name` function in `src/libgit2/index.c`, which can be exploited for arbitrary code execution. This can occur when using well-crafted inputs to `git index add`, allowing a remote attacker to potentially execute arbitrary code. The vulnerability is due to the freeing of an entry that should not be freed, which is later used and overwritten with potentially bad actor-controlled data, leading to controlled heap corruption. **Recommendations** For versions prior to 1.6.5, update to version 1.6.5 or later. For versions prior to 1.7.2, update to version 1.7.2 or later. As a temporary workaround, consider restricting the use of the `git index add` function until a patch is available. Avoid using the `has dir name` function in `src/libgit2/index.c` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** libgit2 versions prior to 1.7.2 **Description** The issue is related to the `git revparse single` function, which can enter an infinite loop when provided with well-crafted inputs, potentially causing a Denial of Service attack. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string, and there is an edge-case that allows a bad actor to force the loop conditions to access arbitrary memory, potentially leading to memory leaks. **Recommendations** For libgit2 versions prior to 1.7.2, upgrade to version 1.7.2 to resolve the issue. As a temporary workaround, consider restricting the use of the `git revparse single` function to minimize the risk of exploitation. Avoid using the `git revparse single` function with untrusted input until the issue is resolved.