Security update for libgit2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:2619-1 Final 1 1 2024-07-30T00:08:06Z current 2024-07-30T00:08:06Z 2024-07-30T00:08:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libgit2 This update for libgit2 fixes the following issues: - CVE-2024-24577: Fixed arbitrary code execution due to heap corruption in git_index_add (bsc#1219660) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2024-2619,SUSE-SLE-Module-Development-Tools-15-SP5-2024-2619,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2619,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2619,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-2619,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2619,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-2619,openSUSE-SLE-15.5-2024-2619 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20242619-1/ Link for SUSE-SU-2024:2619-1 https://lists.suse.com/pipermail/sle-security-updates/2024-July/019051.html E-Mail link for SUSE-SU-2024:2619-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219660 SUSE Bug 1219660 https://www.suse.com/security/cve/CVE-2024-24577/ SUSE CVE CVE-2024-24577 page SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP5 SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP4 openSUSE Leap 15.5 libgit2-1_3-1.3.0-150400.3.9.1 libgit2-1_3-32bit-1.3.0-150400.3.9.1 libgit2-1_3-64bit-1.3.0-150400.3.9.1 libgit2-devel-1.3.0-150400.3.9.1 libgit2-1_3-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS libgit2-devel-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS libgit2-1_3-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS libgit2-devel-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS libgit2-1_3-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 libgit2-devel-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise Module for Development Tools 15 SP5 libgit2-1_3-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS libgit2-devel-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS libgit2-1_3-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 libgit2-devel-1.3.0-150400.3.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 libgit2-1_3-1.3.0-150400.3.9.1 as a component of openSUSE Leap 15.5 libgit2-1_3-32bit-1.3.0-150400.3.9.1 as a component of openSUSE Leap 15.5 libgit2-devel-1.3.0-150400.3.9.1 as a component of openSUSE Leap 15.5 libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2. CVE-2024-24577 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:libgit2-1_3-1.3.0-150400.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:libgit2-devel-1.3.0-150400.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:libgit2-1_3-1.3.0-150400.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:libgit2-devel-1.3.0-150400.3.9.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:libgit2-1_3-1.3.0-150400.3.9.1 SUSE Linux Enterprise Module for Development Tools 15 SP5:libgit2-devel-1.3.0-150400.3.9.1 SUSE Linux Enterprise Server 15 SP4-LTSS:libgit2-1_3-1.3.0-150400.3.9.1 SUSE Linux Enterprise Server 15 SP4-LTSS:libgit2-devel-1.3.0-150400.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:libgit2-1_3-1.3.0-150400.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:libgit2-devel-1.3.0-150400.3.9.1 openSUSE Leap 15.5:libgit2-1_3-1.3.0-150400.3.9.1 openSUSE Leap 15.5:libgit2-1_3-32bit-1.3.0-150400.3.9.1 openSUSE Leap 15.5:libgit2-devel-1.3.0-150400.3.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20242619-1/ https://www.suse.com/security/cve/CVE-2024-24577.html CVE-2024-24577 https://bugzilla.suse.com/1219660 SUSE Bug 1219660