Tech Support
Documentation
Login
Contact Us
Critical libgit2 Vulnerabilities Fixed in Ubuntu
Rohan Timalsina
March 20, 2024 - TuxCare expert team
libgit2 is a portable, pure C implementation of the Git core methods library that allows you to use Git within your own software applications. Essentially, it enables developers to integrate Git functionality directly into their applications, such as creating custom Git workflows, IDEs, and other tools without relying on the Git command-line interface. However, like any software library, libgit2 is not immune to security flaws. Recently, the Ubuntu security team provided fixes for multiple libgit2 vulnerabilities affecting different Ubuntu releases including, Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04, and Ubuntu 16.04.
libgit2 Vulnerabilities Addressed
CVE-2020-12278 (Cvss 3 Severity Score: 9.8 Critical)
A vulnerability was found in libgit2 before versions 0.28.4 and 0.9x before 0.99.0. In certain cases, path.c mishandled equivalent filenames on NTFS partitions. This could potentially lead to remote code execution when cloning a repository.
CVE-2020-12279 (Cvss 3 Severity Score: 9.8 Critical)
A vulnerability was identified in libgit2 versions prior to 0.28.4 and 0.9x before 0.99.0. checkout.c mishandled equivalent filenames on NTFS partitions. This flaw could potentially result in remote code execution when cloning a repository.
CVE-2023-22742 (Cvss 3 Severity Score: 5.9 Medium)
libgit2 did not perform certificate checking by default. Exploiting this flaw could enable an attacker to conduct a man-in-the-middle attack. This vulnerability was specific to Ubuntu versions 16.04, 18.04, 20.04, and 22.04.
CVE-2024-24575 (Cvss 3 Severity Score: 7.5 High)
A flaw was found in libgit2 that could trigger an infinite loop. Exploiting this flaw could lead to a denial-of-service condition. This issue only existed in Ubuntu 23.10. As such, libgit2 versions before 1.4.0 are not affected. This issue has been patched in version 1.6.5 and 1.7.2.
CVE-2024-24577 (Cvss 3 Severity Score: 9.8 Critical)
A vulnerability was found in libgit2 related to improper memory management. Exploiting this flaw could potentially result in a denial-of-service attack or allow execution of arbitrary code by an attacker. This issue has been patched in version 1.6.5 and 1.7.2.
Mitigation Measures
Given the severity of libgit2 vulnerabilities, it is imperative for users of affected Ubuntu releases to apply the security updates promptly. Delaying patches could leave systems exposed to potential exploitation, therefore users should prioritize updating libgit2 packages to the latest version. Timely updates ensure the resilience and security of the system, protecting against emerging threats and vulnerabilities.
Ubuntu 16.04 and Ubuntu 18.04 users can only receive these updates if they have an Ubuntu Pro subscription. However, its pricing may not suit those seeking only patching. Alternatively, they can utilize TuxCare’s Extended Lifecycle Support, a cost-effective solution to secure end-of-life Ubuntu systems. It provides vulnerability patching for five additional years after the end date and ensures your systems remain protected. This also gives you enough time to strategize your migration without having to rush it.
If you have questions about Extended Lifecyle Support for Ubuntu 16.04 and Ubuntu 18.04, ask us a question and one of our Linux security experts will get back to you.
Source: USN-6678-1
