Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian LTS: DLA-3939-1 moderate: python-git remote execution risk

debian lts
Calendar Grey October 29, 2024
Dist Debian Esm H88
Enhance python-git to address risks associated with remote execution and inadequate input validation specified in the Debian LTS advisory DLA-3939-1.
GitPython provides object model access to a Git repository

Summary

CVE-2022-24439, CVE-2023-40267 (follow-up)

Remote Code Execution (RCE) is possible due to improper user input
validation, which makes it possible to inject a maliciously crafted
remote URL into the clone command. Exploiting this vulnerability is
possible because the library makes external calls to git without
sufficient sanitization of input arguments.

CVE-2023-41040

GitPython reads files from the `.git` directory, in some places the
name of the file being read is provided by the user, GitPython
doesn't check if this file is located outside the `.git` directory.
This allows an attacker to make GitPython read any file from the
system.

For Debian 11 bullseye, these problems have been fixed in version
3.1.14-1+deb11u1.

We recommend that you upgrade your python-git packages.

For the detailed security status of python-git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/python-git

Read the Full Advisory


Package: python-git
Version: 3.1.14-1+deb11u1
CVE ID: CVE-2022-24439 CVE-2023-40267 CVE-2023-41040
Debian Bug: 1027163 1043503

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here