CVE-2024-25817

Publication date 6 March 2024

Last updated 24 July 2024

Buffer Overflow vulnerability in eza before version 0.18.2, allows local attackers to execute arbitrary code via the .git/HEAD, .git/refs, and .git/objects components.

Read the notes from the security team

Why is this CVE low priority?

Likely not affected due to not vendoring libgit2.

Learn more about Ubuntu priority

Status

Show unmaintained releases

Package	Ubuntu Release	Status
rust-eza	24.10 oracular	Not affected
	24.04 LTS noble	Vulnerable, work in progress
	23.10 mantic	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

Notes

sbeattie

likely due to an embedded copy of libgit2 vulnerable to CVE-2024-24577. The debian and ubuntu packages are likely not-affected due to rust-eza being patched to use the system libgit2 and not the vendored copy.

References

MITRE
NVD
Launchpad
Debian

Other references

https://github.com/advisories/GHSA-3qx3-6hxr-j2ch
https://www.cubeyond.net/blog/my-cves/eza-cve-report
https://www.cve.org/CVERecord?id=CVE-2024-25817