Описание
gix-path is a crate of the gitoxide project (an implementation of git written in Rust) dealing paths and their conversions. Prior to version 0.10.11, gix-path runs git to find the path of a configuration file associated with the git installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue. In gix_path::env, the underlying implementation of the installation_config and installation_config_prefix functions calls git config -l --show-origin to find the path of a file to treat as belonging to the git installation. Affected versions of gix-path do not pass -z/--null to cause git to report literal paths. Instead, to cover the occasional case that git outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may chang...
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | |
| esm-apps/noble | needs-triage | |
| esm-infra/focal | DNE | |
| focal | DNE | |
| jammy | DNE | |
| noble | needs-triage | |
| oracular | not-affected | 0.10.11-2 |
| plucky | not-affected | |
| questing | not-affected | |
| upstream | released | 0.10.11-1 |
Показывать по
6 Medium
CVSS3
Связанные уязвимости
`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue. In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change
`gix-path` is a crate of the `gitoxide` project (an implementation of ...
gix-path improperly resolves configuration path reported by Git
6 Medium
CVSS3