CVE-2024-24575: 
NixOS vulnerability analysis and mitigation

A security vulnerability identified as CVE-2024-24575 was discovered in libgit2, a portable C implementation of the Git core methods. The vulnerability was found in versions >= 1.4.0 and < 1.7.2, with patches released in versions 1.6.5 and 1.7.2. The issue was introduced in commit add2dabb3c16aa49b33904dcdc07cd915efc12fa and was discovered by researchers at Amazon AWS (GitHub Advisory).

The vulnerability exists in the revparse function within src/libgit2/revparse.c, where a loop is used to parse user-provided spec strings. An edge case during parsing allows potential access to arbitrary memory, which can be exploited to create an infinite loop in the revparse function. The issue specifically affects the git_revparse_single function (GitHub Advisory).

When exploited, this vulnerability can cause the git_revparse_single function to enter an infinite loop, potentially resulting in a Denial of Service (DoS) attack in applications using libgit2. Additionally, there is a possibility of memory leaks if the extracted rev spec is reflected back to the attacker (GitHub Advisory, Ubuntu Notice).

Users are advised to upgrade to libgit2 version 1.6.5 or 1.7.2, which contain patches for this vulnerability. Various distributions have released security updates, including Ubuntu and Fedora, which provide fixed versions through their package management systems (GitHub Release, Ubuntu Notice).