CVE-2024-24577: 
Git vulnerability analysis and mitigation

CVE-2024-24577 affects libgit2, a portable C implementation of the Git core methods provided as a linkable library. The vulnerability was discovered by researchers at Amazon AWS and disclosed in February 2024. The affected versions include libgit2 versions prior to 1.6.5 and 1.7.2 (GitHub Release 1.6.5, GitHub Release 1.7.2).

The vulnerability exists in the has_dir_name function in src/libgit2/index.c, which incorrectly frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data, leading to controlled heap corruption. The issue is triggered when two consecutive calls to git_index_add are made with a filename that starts with a '/' character. To control the heap corruption, an attacker must be able to control the ctime field of the git_index_entry data structure (GitHub Advisory).

The vulnerability has been assigned a CVSS 3.1 base score of 9.8 (Critical), with high impacts on confidentiality, integrity, and availability. Depending on the application that uses libgit2, successful exploitation could lead to arbitrary code execution (Ubuntu Security).

The vulnerability has been patched in libgit2 versions 1.6.5 and 1.7.2. Users are strongly recommended to upgrade to these versions. As a workaround, users can prevent paths beginning with '/' from being provided to git_index_add (GitHub Advisory).