Security update for libgit2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2583-1 Final 1 1 2024-07-22T11:40:46Z current 2024-07-22T11:40:46Z 2024-07-22T11:40:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libgit2 This update for libgit2 fixes the following issues: - CVE-2024-24577: Fixed arbitrary code execution due to heap corruption in git_index_add (bsc#1219660) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2583,SUSE-SLE-SDK-12-SP5-2024-2583 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242583-1/ Link for SUSE-SU-2024:2583-1 https://lists.suse.com/pipermail/sle-updates/2024-July/036089.html E-Mail link for SUSE-SU-2024:2583-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219660 SUSE Bug 1219660 https://www.suse.com/security/cve/CVE-2024-24577/ SUSE CVE CVE-2024-24577 page SUSE Linux Enterprise Software Development Kit 12 SP5 libgit2-24-0.24.1-11.5.1 libgit2-24-32bit-0.24.1-11.5.1 libgit2-24-64bit-0.24.1-11.5.1 libgit2-devel-0.24.1-11.5.1 libgit2-24-0.24.1-11.5.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP5 libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2. CVE-2024-24577 SUSE Linux Enterprise Software Development Kit 12 SP5:libgit2-24-0.24.1-11.5.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242583-1/ https://www.suse.com/security/cve/CVE-2024-24577.html CVE-2024-24577 https://bugzilla.suse.com/1219660 SUSE Bug 1219660