SB2021072794 - openEuler update for libgit2

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2020-12278)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper handling of equivalent filenames that exist because of NTFS Alternate Data Streams in path.c. A remote attacker can trick the victim into cloning a specially crafted repository and execute arbitrary code on the system.

2) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2020-12279)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper handling of equivalent filenames that exist because of NTFS short names in checkout.c. A remote attacker can trick the victim into cloning a specially crafted repository and execute arbitrary code on the system.

3) Input validation error (CVE-ID: CVE-2019-1352)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input within the Git for Visual Studio. A remote attacker can convince the user to clone a malicious repo and execute arbitrary code on the target system.

4) Incorrect default permissions (CVE-ID: CVE-2019-1353)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists to due none of the NTFS protections are active when accessing a working directory on a regular Windows drive. A local user with access to the system can view contents of files and directories or modify them.

Note: This vulnerability occurs when running Git in the Windows Subsystem for Linux (also known as "WSL").

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1282