x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12278 #2271

tatianab · 2023-11-08T22:06:45Z

CVE-2020-12278 references github.com/git/git, which may be a Go module.

Description:
An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1352.

References:

NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-12278
advisory: GHSA-5wph-8frv-58vj
web: https://github.com/libgit2/libgit2/releases/tag/v0.99.0
web: https://github.com/libgit2/libgit2/releases/tag/v0.28.4
fix: libgit2/libgit2@3f7851e
fix: libgit2/libgit2@e1832eb
web: https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
web: https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html
Imported by: https://pkg.go.dev/github.com/git/git?tab=importedby

Cross references:

Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-29187 #513 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39253 #1068 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-39260 #1069 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-23521 #1499 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2022-41903 #1500 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-22490 #1562 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-23946 #1563 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-25652 #1739 NOT_GO_CODE
Module github.com/git/git appears in issue x/vulndb: potential Go vuln in github.com/git/git: CVE-2023-29007 #1741 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/git/git
      vulnerable_at: 2.42.1+incompatible
      packages:
        - package: n/a
cves:
    - CVE-2020-12278
references:
    - advisory: https://github.com/git/git/security/advisories/GHSA-5wph-8frv-58vj
    - web: https://github.com/libgit2/libgit2/releases/tag/v0.99.0
    - web: https://github.com/libgit2/libgit2/releases/tag/v0.28.4
    - fix: https://github.com/libgit2/libgit2/commit/3f7851eadca36a99627ad78cbe56a40d3776ed01
    - fix: https://github.com/libgit2/libgit2/commit/e1832eb20a7089f6383cfce474f213157f5300cb
    - web: https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html
    - web: https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-11-08T22:28:14Z

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports

tatianab added the excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process label Nov 8, 2023

gopherbot closed this as completed in 497caf9 Nov 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12278 #2271

x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12278 #2271

tatianab commented Nov 8, 2023

gopherbot commented Nov 8, 2023

x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12278 #2271

x/vulndb: potential Go vuln in github.com/git/git: CVE-2020-12278 #2271

Comments

tatianab commented Nov 8, 2023

gopherbot commented Nov 8, 2023