Lucene search
GitHub Advisory DatabaseGHSA-3QX3-6HXR-J2CHHistoryFeb 08, 2024 - 6:47 p.m.
eza Potential Heap Overflow Vulnerability for AArch64
2024-02-0818:47:28
GitHub Advisory Database
github.com
11
eza
heap overflow
aarch64
ubuntu
raspberry pi
.git directory
vulnerability
arbitrary code execution
libgit2
poc
Summary
In eza, there exists a potential heap overflow vulnerability, first seen when using Ubuntu for Raspberry Pi series system, on ubuntu-raspi kernel, relating to the .git directory.
Details
The vulnerability seems to be triggered by the .git directory in some projects. This issue may be related to specific files, and the directory structure also plays a role in triggering the vulnerability. Files/folders that may be involved in triggering the vulnerability include .git/HEAD, .git/refs, and .git/objects.
As @polly pointed out to me, this is likely caused by GHSA-j2v7-4f6v-gpg8, which we do seem to use currently.
PoC
For more information check @CuB3y0nd’s blogpost blog.
Impact
Arbitrary code execution.
Affected configurations
Node
ezaRange<0.18.2
Related
cvelist
cvelist
CVE-2024-25817
2024-03-05 00:00:00
cve
cve
CVE-2024-25817
2024-03-06 00:15:52
prion
prion
Buffer overflow
2024-03-06 00:15:00
nvd
nvd
CVE-2024-25817
2024-03-06 00:15:52
debiancve
debiancve
CVE-2024-25817
2024-03-06 00:15:52
osv
osv
eza Potential Heap Overflow Vulnerability for AArch64
2024-02-08 18:47:28
ubuntucve
ubuntucve
CVE-2024-25817
2024-03-06 00:00:00