Source: rust-gix-path X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for rust-gix-path. CVE-2024-45405[0]: | `gix-path` is a crate of the `gitoxide` project (an implementation | of `git` written in Rust) dealing paths and their conversions. Prior | to version 0.10.11, `gix-path` runs `git` to find the path of a | configuration file associated with the `git` installation, but | improperly resolves paths containing unusual or non-ASCII | characters, in rare cases enabling a local attacker to inject | configuration leading to code execution. Version 0.10.11 contains a | patch for the issue. In `gix_path::env`, the underlying | implementation of the `installation_config` and | `installation_config_prefix` functions calls `git config -l --show- | origin` to find the path of a file to treat as belonging to the | `git` installation. Affected versions of `gix-path` do not pass | `-z`/`--null` to cause `git` to report literal paths. Instead, to | cover the occasional case that `git` outputs a quoted path, they | attempt to parse the path by stripping the quotation marks. The | problem is that, when a path is quoted, it may change in substantial | ways beyond the concatenation of quotation marks. If not reversed, | these changes can result in another valid path that is not | equivalent to the original. On a single-user system, it is not | possible to exploit this, unless `GIT_CONFIG_SYSTEM` and | `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been | installed in an unusual way. Such a scenario is not expected. | Exploitation is unlikely even on a multi-user system, though it is | plausible in some uncommon configurations or use cases. In general, | exploitation is more likely to succeed if users are expected to | install `git` themselves, and are likely to do so in predictable | locations; locations where `git` is installed, whether due to | usernames in their paths or otherwise, contain characters that `git` | quotes by default in paths, such as non-English letters and accented | letters; a custom `system`-scope configuration file is specified | with the `GIT_CONFIG_SYSTEM` environment variable, and its path is | in an unusual location or has strangely named components; or a | `system`-scope configuration file is absent, empty, or suppressed by | means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can | treat a `global`-scope configuration file as belonging to the | installation if no higher scope configuration file is available. | This increases the likelihood of exploitation even on a system where | `git` is installed system-wide in an ordinary way. However, | exploitation is expected to be very difficult even under any | combination of those factors. https://github.com/advisories/GHSA-m8rp-vv92-46c7 https://rustsec.org/advisories/RUSTSEC-2024-0371.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45405 https://www.cve.org/CVERecord?id=CVE-2024-45405 Please adjust the affected versions in the BTS as needed.
