-------------------------------------------------------------------------
Debian LTS Advisory DLA-3939-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
October 29, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-git
Version : 3.1.14-1+deb11u1
CVE ID : CVE-2022-24439 CVE-2023-40267 CVE-2023-41040
Debian Bug : 1027163 1043503
GitPython provides object model access to a Git repository.
CVE-2022-24439, CVE-2023-40267 (follow-up)
Remote Code Execution (RCE) is possible due to improper user input
validation, which makes it possible to inject a maliciously crafted
remote URL into the clone command. Exploiting this vulnerability is
possible because the library makes external calls to git without
sufficient sanitization of input arguments.
CVE-2023-41040
GitPython reads files from the `.git` directory, in some places the
name of the file being read is provided by the user, GitPython
doesn't check if this file is located outside the `.git` directory.
This allows an attacker to make GitPython read any file from the
system.
For Debian 11 bullseye, these problems have been fixed in version
3.1.14-1+deb11u1.
We recommend that you upgrade your python-git packages.
For the detailed security status of python-git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-git
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part