libgit2-1_7-1.7.2-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13675-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libgit2-1_7-1.7.2-2.1 on GA media These are all security issues fixed in the libgit2-1_7-1.7.2-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13675 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-24575/ SUSE CVE CVE-2024-24575 page openSUSE Tumbleweed libgit2-1_7-1.7.2-2.1 libgit2-devel-1.7.2-2.1 libgit2-tools-1.7.2-2.1 libgit2-1_7-1.7.2-2.1 as a component of openSUSE Tumbleweed libgit2-devel-1.7.2-2.1 as a component of openSUSE Tumbleweed libgit2-tools-1.7.2-2.1 as a component of openSUSE Tumbleweed libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_revparse_single` can cause the function to enter an infinite loop, potentially causing a Denial of Service attack in the calling application. The revparse function in `src/libgit2/revparse.c` uses a loop to parse the user-provided spec string. There is an edge-case during parsing that allows a bad actor to force the loop conditions to access arbitrary memory. Potentially, this could also leak memory if the extracted rev spec is reflected back to the attacker. As such, libgit2 versions before 1.4.0 are not affected. Users should upgrade to version 1.6.5 or 1.7.2. CVE-2024-24575 openSUSE Tumbleweed:libgit2-1_7-1.7.2-2.1 openSUSE Tumbleweed:libgit2-devel-1.7.2-2.1 openSUSE Tumbleweed:libgit2-tools-1.7.2-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24575.html CVE-2024-24575 https://bugzilla.suse.com/1219664 SUSE Bug 1219664