Alerts This Week
Warning Icon 1 677
Alerts This Week
Warning Icon 1 677

Gentoo: GLSA-202311-01 High: GitPython Remote Code Execution Threat

gentoo
Calendar Grey November 1, 2023
Dist Gentoo Esm H88
Learn about a critical flaw in GitPython that could result in unauthorized remote code execution. Keep up with the latest security advisories!
A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution

Summary

Please review the CVE identifier referenced below for details.

Topics%20covered

Topics Covered

security advisory Gentoo high severity remote code execution GitPython

Resolution

All GitPython users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/GitPython-3.1.30"

References

[ 1 ] CVE-2022-24439 https://nvd.nist.gov/vuln/detail/CVE-2022-24439

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202311-01
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: High
Title: GitPython: Code Execution via Crafted Input
Date: November 01, 2023
Bugs: #884623
ID: 202311-01

Topics%20covered

Topics Covered

security advisory Gentoo high severity remote code execution GitPython

Synopsis

A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution

Background

GitPython is a Python library used to interact with Git repositories.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Package Vulnerable Unaffected -------------------- ------------ ------------ dev-python/GitPython < 3.1.30 >= 3.1.30

Impact

An attacker may be able to trigger Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Workaround

There is no known workaround at this time.

Related News

Your message here