Package: gh X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security upstream
Hi, The following vulnerability was published for gh. CVE-2024-54132[0]: | The GitHub CLI is GitHub’s official command line tool. A security | vulnerability has been identified in GitHub CLI that could create or | overwrite files in unintended directories when users download a | malicious GitHub Actions workflow artifact through gh run download. | This vulnerability stems from a GitHub Actions workflow artifact | named .. when downloaded using gh run download. The artifact name | and --dir flag are used to determine the artifact’s download path. | When the artifact is named .., the resulting files within the | artifact are extracted exactly 1 directory higher than the specified | --dir flag value. This vulnerability is fixed in 2.63.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-54132 https://www.cve.org/CVERecord?id=CVE-2024-54132 [1] https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj Please adjust the affected versions in the BTS as needed. Best wishes Matthias
