CVE-2020-12279: 
NixOS vulnerability analysis and mitigation

An issue was discovered in libgit2 before version 0.28.4 and 0.9x before 0.99.0. The vulnerability, identified as CVE-2020-12279, relates to how checkout.c mishandles equivalent filenames that exist because of NTFS short names. This vulnerability was disclosed alongside other security issues in libgit2 and was addressed in security updates released in December 2019 (Libgit2 Release).

The vulnerability exists in the checkout.c component of libgit2, where the software fails to properly handle equivalent filenames that exist due to NTFS short names (also known as 8.3 format names). This issue is similar to CVE-2019-1353, which was previously identified in Git. The vulnerability affects systems accessing NTFS filesystems, not just Windows systems, as other platforms accessing NTFS filesystems were also vulnerable to this issue (Debian Advisory).

The vulnerability could potentially allow remote code execution when cloning a repository on systems using or accessing NTFS filesystems. This impact is particularly significant as it affects not only Windows systems but also Linux and macOS systems that interact with NTFS filesystems (Ubuntu Notice).

The vulnerability was fixed in libgit2 versions 0.28.4 and 0.99.0. The fix involved enabling NTFS protections by default on all systems to prevent this attack vector. Organizations using affected versions should upgrade to the patched versions. For Debian 9 stretch, the fix was included in version 0.25.1+really0.24.6-1+deb9u1, and for Debian 10 buster, in version 0.27.7+dfsg.1-0.2+deb10u1 (Debian LTS).