PT-2024-1689 · Libgit2+6 · Libgit2+6
Ethomson
·
Published
2024-02-06
·
Updated
2025-09-22
·
CVE-2024-24577
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
libgit2 versions prior to 1.6.5
libgit2 versions prior to 1.7.2
Description
The issue is related to a heap corruption vulnerability in the
has dir name function in src/libgit2/index.c, which can be exploited for arbitrary code execution. This can occur when using well-crafted inputs to git index add, allowing a remote attacker to potentially execute arbitrary code. The vulnerability is due to the freeing of an entry that should not be freed, which is later used and overwritten with potentially bad actor-controlled data, leading to controlled heap corruption.Recommendations
For versions prior to 1.6.5, update to version 1.6.5 or later.
For versions prior to 1.7.2, update to version 1.7.2 or later.
As a temporary workaround, consider restricting the use of the
git index add function until a patch is available.
Avoid using the has dir name function in src/libgit2/index.c until the issue is resolved.Exploit
Fix
Buffer Overflow
Heap Based Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Linuxmint
Red Os
Suse
Ubuntu
Libgit2