CVE-2020-12278

Name
CVE-2020-12278
Description
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.28.4
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Patch https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb
Third Party Advisory https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj
Patch https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01
MLIST https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:* libgit2 >= None < 0.28.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libgit2 3.10-main 0.28.2-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable