{"id":"CVE-2020-12279","details":"An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository. This issue is similar to CVE-2019-1353.","modified":"2026-04-10T07:20:09.810782Z","published":"2020-04-27T17:15:13.470Z","related":["GHSA-589j-mmg9-733v"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00034.html"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.28.4"},{"type":"ADVISORY","url":"https://github.com/libgit2/libgit2/releases/tag/v0.99.0"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"},{"type":"FIX","url":"https://github.com/git/git/security/advisories/GHSA-589j-mmg9-733v"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libgit2/libgit2","events":[{"introduced":"0"},{"fixed":"106a5f27586504ea371528191f0ea3aac2ad432b"},{"fixed":"64c612cc3e25eff5fb02c59ef5a66ba7a14751e4"},{"fixed":"172239021f7ba04fe7327647b213799853a9eb89"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.28.4"}]}}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.2.0","v0.21.0","v0.22.0","v0.22.0-rc1","v0.22.0-rc2","v0.23.0","v0.23.0-rc1","v0.23.0-rc2","v0.24.0","v0.24.0-rc1","v0.26.0","v0.26.0-rc1","v0.26.0-rc2","v0.27.0","v0.27.0-rc1","v0.27.0-rc2","v0.27.0-rc3","v0.28.0","v0.28.0-rc1","v0.28.1","v0.28.2","v0.28.3","v0.3.0","v0.8.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-12279.json","vanir_signatures":[{"digest":{"length":109,"function_hash":"54554569915003734768761110712720175172"},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","deprecated":false,"id":"CVE-2020-12279-18c21614","signature_type":"Function","target":{"function":"test_checkout_nasty__git_tilde1","file":"tests/checkout/nasty.c"}},{"digest":{"threshold":0.9,"line_hashes":["34151097703912068279059189515774524754","640971338307182747042490539310138101","261090504824042527251622828911835319539","190820267254834495437436494656192599698","109452042279548290592481542638704603152","183873679057880809488074463187073290050"]},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","deprecated":false,"id":"CVE-2020-12279-577666bb","signature_type":"Line","target":{"file":"tests/checkout/nasty.c"}},{"digest":{"length":636,"function_hash":"270919345757994032373988505154932358300"},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","deprecated":false,"id":"CVE-2020-12279-9b82710e","signature_type":"Function","target":{"function":"checkout_verify_paths","file":"src/checkout.c"}},{"digest":{"threshold":0.9,"line_hashes":["91163887863019740474463251087811095055","163293920236655175007224761102751500986","304947559022233408970519915295579978259","337098278619693989970552484739974126394"]},"signature_version":"v1","source":"https://github.com/libgit2/libgit2/commit/64c612cc3e25eff5fb02c59ef5a66ba7a14751e4","deprecated":false,"id":"CVE-2020-12279-fa1bf32c","signature_type":"Line","target":{"file":"src/checkout.c"}}],"vanir_signatures_modified":"2026-04-10T07:20:09Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}