libgit2 v1.7.2
馃敀 This is a security release with multiple changes.
-
A bug in
git_revparse_single
is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixes CVE-2024-24575, which was discovered by researchers at Amazon AWS. -
A bug in
git_index_add
is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixes CVE-2024-24577, which was discovered by researchers at Amazon AWS. -
A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.
The libgit2 project thanks the researchers and outreach team at AWS Security for finding the git_index_add
and git_revparse_single
bugs, and providing details and reproduction steps during their responsible disclosure.
All users of the v1.7 release line are recommended to upgrade.