CVE-2020-12279

Name
CVE-2020-12279
Description
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.28.4
Patch https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4
Release Notes https://github.com/libgit2/libgit2/releases/tag/v0.99.0
Patch https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v
MLIST https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:libgit2:libgit2:*:*:*:*:*:*:*:* libgit2 >= None < 0.28.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libgit2 3.10-main 0.28.2-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable