Your message dated Wed, 18 Sep 2024 00:00:55 +0000
with message-id <[email protected]>
and subject line Bug#1082055: fixed in rust-gix-path 0.10.11-1
has caused the Debian Bug report #1082055,
regarding rust-gix-path: CVE-2024-45405
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1082055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082055
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-gix-path
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-gix-path.
CVE-2024-45405[0]:
| `gix-path` is a crate of the `gitoxide` project (an implementation
| of `git` written in Rust) dealing paths and their conversions. Prior
| to version 0.10.11, `gix-path` runs `git` to find the path of a
| configuration file associated with the `git` installation, but
| improperly resolves paths containing unusual or non-ASCII
| characters, in rare cases enabling a local attacker to inject
| configuration leading to code execution. Version 0.10.11 contains a
| patch for the issue. In `gix_path::env`, the underlying
| implementation of the `installation_config` and
| `installation_config_prefix` functions calls `git config -l --show-
| origin` to find the path of a file to treat as belonging to the
| `git` installation. Affected versions of `gix-path` do not pass
| `-z`/`--null` to cause `git` to report literal paths. Instead, to
| cover the occasional case that `git` outputs a quoted path, they
| attempt to parse the path by stripping the quotation marks. The
| problem is that, when a path is quoted, it may change in substantial
| ways beyond the concatenation of quotation marks. If not reversed,
| these changes can result in another valid path that is not
| equivalent to the original. On a single-user system, it is not
| possible to exploit this, unless `GIT_CONFIG_SYSTEM` and
| `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been
| installed in an unusual way. Such a scenario is not expected.
| Exploitation is unlikely even on a multi-user system, though it is
| plausible in some uncommon configurations or use cases. In general,
| exploitation is more likely to succeed if users are expected to
| install `git` themselves, and are likely to do so in predictable
| locations; locations where `git` is installed, whether due to
| usernames in their paths or otherwise, contain characters that `git`
| quotes by default in paths, such as non-English letters and accented
| letters; a custom `system`-scope configuration file is specified
| with the `GIT_CONFIG_SYSTEM` environment variable, and its path is
| in an unusual location or has strangely named components; or a
| `system`-scope configuration file is absent, empty, or suppressed by
| means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can
| treat a `global`-scope configuration file as belonging to the
| installation if no higher scope configuration file is available.
| This increases the likelihood of exploitation even on a system where
| `git` is installed system-wide in an ordinary way. However,
| exploitation is expected to be very difficult even under any
| combination of those factors.
https://github.com/advisories/GHSA-m8rp-vv92-46c7
https://rustsec.org/advisories/RUSTSEC-2024-0371.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45405
https://www.cve.org/CVERecord?id=CVE-2024-45405
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: rust-gix-path
Source-Version: 0.10.11-1
Done: Peter Michael Green <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-gix-path, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Michael Green <[email protected]> (supplier of updated rust-gix-path
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 17 Sep 2024 21:53:54 +0000
Source: rust-gix-path
Architecture: source
Version: 0.10.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Peter Michael Green <[email protected]>
Closes: 1082055
Changes:
rust-gix-path (0.10.11-1) unstable; urgency=medium
.
* Team upload.
* Package gix-path 0.10.11 from crates.io using debcargo 2.6.1
+ New upstream fixes RUSTSEC-2024-0371 (Closes: #1082055)
Checksums-Sha1:
b010110ea88f5ad2defe8a7d10f88d3adbd969cf 2640 rust-gix-path_0.10.11-1.dsc
77d22f18839aa0052938598251c6de02785c54e0 22554
rust-gix-path_0.10.11.orig.tar.gz
37b1b90bed053f054db522cb8ee2e81997ad13bd 2808
rust-gix-path_0.10.11-1.debian.tar.xz
77f88d5f47b734fc0e2bf4510b58412bdc8d8d0a 11334
rust-gix-path_0.10.11-1_source.buildinfo
Checksums-Sha256:
dd85a0819fd7bebf41235589f63741b0456e373f323879b6f4ddfb70339f9f41 2640
rust-gix-path_0.10.11-1.dsc
ebfc4febd088abdcbc9f1246896e57e37b7a34f6909840045a1767c6dafac7af 22554
rust-gix-path_0.10.11.orig.tar.gz
d13a1b03bdea9043a8f69afaa5f7120c002ed4c729d902e8859185601d591e07 2808
rust-gix-path_0.10.11-1.debian.tar.xz
da50a07672c79951f46289217e390cd5132db82b388c4a058d327adee111cc33 11334
rust-gix-path_0.10.11-1_source.buildinfo
Files:
2383b50fa68be0632c7d164b30c7593c 2640 rust optional rust-gix-path_0.10.11-1.dsc
f9b748f2d75adfb990a5ec074a1af498 22554 rust optional
rust-gix-path_0.10.11.orig.tar.gz
bac5f81a767b2f7fa5b44b9eaf32dccf 2808 rust optional
rust-gix-path_0.10.11-1.debian.tar.xz
907069d79f7707d9cdb24930af7144a9 11334 rust optional
rust-gix-path_0.10.11-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmbp/tYUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XuCYQ/+PvjntinXbS3JQOy0blLl/PTVjDSC
H/Yb4tOQlcK4YKDJuoCMrvTq60Mbw91EizZCjtSAtbyvDMTEIp4GqI2xZ6CvrcnL
LTp9loYlDpsil9+ZStWwkRUb1/JFaOZW3scLPVB0dkto3+LgOHf/OQerOfCJXN4P
qerO9g8RMQkM7VjY4FHpWIHncWUpBMYdk+86bnqIemaYF+f6GRony3Hh6tgHgb23
r3K4x8J7wXbAJbBegKtBDWa4+c5Bl3WkVUjfuL7gcS4Yh2RrIeHDAnsYs8f/gcrl
RcgtqdoiAxnm+OqwSn7DHOQcLZesM7SeDHBZU4tU1cOLN1NuRW8EVPF2ouC1t89t
HKNnhw3i2VE858O1v0ks7Mc5vCEIN21JIVsJQA/lr7LL7dXyQ/qTZwXHqg+1nym0
SUOH1bItZ8IjX//3EcGkmKQVQx7E0IEk0EGuE48V9fE+A1sljk1k8eRfF63qF4G+
/PlgIB145s3tmwxKii9CnUL7/25HFIi+LHwgWbgNUGuZQe94Gy6JdxXoKNfqBN8C
XbMU2mhbjazPXiyKwVoTY3oGptT/IH0YW/ux3o988q3MnAvYG05p1Cv7hO67CpB7
FoUxxtU3py2kLaL5p5s6zIBdOU25sGkFxmEZ/iZfwbi6Vn/gYsn9DmDLNZwF4tdp
cN3Ju3CMjaLC8x8=
=wKhJ
-----END PGP SIGNATURE-----
pgpofjpthLF_Y.pgp
Description: PGP signature
--- End Message ---
