#VU86202 Infinite loop in libgit2 - CVE-2024-24575


Vulnerability identifier: #VU86202

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-24575

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
libgit2
Universal components / Libraries / Libraries used by multiple products

Vendor: libgit2.github.com

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in git_revparse_single within the revparse() function in src/libgit2/revparse.c. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

libgit2: 1.0.0 - 1.0.1, 1.1.0 - 1.1.1, 1.2.0, 1.3.0 - 1.3.2, 1.4.0 - 1.4.6, 1.5.0, 1.5.1, 1.5.2, 1.6.0 - 1.6.4, 1.7.0 - 1.7.1

External links
https://github.com/libgit2/libgit2/security/advisories/GHSA-54mf-x2rh-hq9v
https://github.com/libgit2/libgit2/commit/add2dabb3c16aa49b33904dcdc07cd915efc12fa
https://github.com/libgit2/libgit2/releases/tag/v1.6.5
https://github.com/libgit2/libgit2/releases/tag/v1.7.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Anolis OS update for libgit2
Amazon Linux AMI update for libgit2
Amazon Linux AMI update for rust
SUSE update for libgit2
Debian update for libgit2
openEuler 22.03 LTS SP3 update for rust
openEuler 22.03 LTS SP2 update for rust
Ubuntu update for libgit2
Fedora EPEL 9 update for rust-ansitok, rust-bat, rust-cargo-c, rust-eza, rust-git-delta, rust-git2, rust-libgit2-sys, rust-pore, rust-shadow-rs, rust-strip-ansi-escapes, rust-vergen, rust-vt100, rust-vte
Fedora 38 update for rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, rust-vergen