Your message dated Fri, 15 May 2026 15:34:37 +0000
with message-id <[email protected]>
and subject line Bug#1136703: fixed in rust-gix-fs 0.16.1-2
has caused the Debian Bug report #1136703,
regarding rust-gix-fs: CVE-2026-44471
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136703
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-gix-fs
Version: 0.16.1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-gix-fs.
CVE-2026-44471[0]:
| gitoxide is an implementation of git written in Rust. Prior to
| 0.21.1, a malicious tree can be constructed that will, when checked
| out with gitoxide, permit writing an attacker-controlled symlink
| into any existing directory the user has write access to. During
| checkout, all symlink index entries are deferred and created after
| regular files using a single shared gix_worktree::Stack. Internally,
| this uses a gix_fs::Stack.
| gix_fs::Stack::make_relative_path_current() caches validated path
| prefixes: when the previously-processed leaf component exactly
| matches the leading component(s) of the next path, the leaf-to-
| directory transition at gix-fs/src/stack.rs invokes only
| delegate.push_directory(), never delegate.push(). In
| gix_worktree::stack::delegate::StackDelegate, when the state member
| is State::CreateDirectoryAndAttributesStack,
| Attributes::push_directory() only loads attributes (from the ODB, in
| the clone case), and does not perform any other checks. The on-disk
| symlink_metadata() check and unlink-on-collision live in
| StackDelegate::push()'s invocation of create_leading_directory(),
| which is therefore bypassed for the cached prefix. The final symlink
| is created with plain std::os::unix::fs::symlink, which follows
| symlinks in parent directories. Therefore, it's possible to provide
| a tree with duplicate symlink and directory entries that exploits
| this. This vulnerability is fixed in 0.21.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-44471
https://www.cve.org/CVERecord?id=CVE-2026-44471
[1]
https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f89h-2fjh-2r9q
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-gix-fs
Source-Version: 0.16.1-2
Done: Fabian Grünbichler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-gix-fs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Grünbichler <[email protected]> (supplier of updated
rust-gix-fs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 May 2026 17:14:42 +0200
Source: rust-gix-fs
Architecture: source
Version: 0.16.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Fabian Grünbichler <[email protected]>
Closes: 1136703
Changes:
rust-gix-fs (0.16.1-2) unstable; urgency=medium
.
* Team upload.
* Package gix-fs 0.16.1 from crates.io using debcargo 2.8.2
* Cherry-pick fix for GHSA-f89h-2fjh-2r9q / CVE-2026-44471
(Closes: #1136703)
Checksums-Sha1:
e1ddb3ce090cd6e3b0b3d3b51aedb70470750085 2729 rust-gix-fs_0.16.1-2.dsc
0b80e4c21acdddccc223abea3d6b08748630fd4b 4216
rust-gix-fs_0.16.1-2.debian.tar.xz
3d12909113828dc5ae515b5386121c3d6c74d3e1 8485
rust-gix-fs_0.16.1-2_source.buildinfo
Checksums-Sha256:
793bd757efea98864898592c2164c5d987af70c00b2bd3a2458ce02be54d1ef0 2729
rust-gix-fs_0.16.1-2.dsc
626ccb2208070365950e26890c8c6f8da2140724a7f61054a1f2a31ba0e47628 4216
rust-gix-fs_0.16.1-2.debian.tar.xz
eb65f2e88ee4dea6a03caea64371728070043548d38e0e794e11e40c2db887a8 8485
rust-gix-fs_0.16.1-2_source.buildinfo
Files:
0f2b2f75460267fad45ed56223953229 2729 rust optional rust-gix-fs_0.16.1-2.dsc
1e97f4cf4500e86dc1391f846fa607a6 4216 rust optional
rust-gix-fs_0.16.1-2.debian.tar.xz
4c5f26af2aab4888f275ff55f8ae4dad 8485 rust optional
rust-gix-fs_0.16.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmoHOGwhHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0UwizEP/jKXJPi2SH9C
w0S7DNqj+CLUpZp0LimLI1+fgAVadm3+XIpwzNZQ61czdJlU5/17syPqMxd8PYG1
SOAVDxzvDqm4oR82FJdepQtDA9bd1cFpRgvqErGlC4Ip2X8G9o2iFZ3y0FZYLPWq
rsQMia0+wW3Q/7ADgEgJs9oN6uQeL6WhBFhkbNvWQjEVyugLTB7oi+Y121LakzXz
DrRBHzRr5n/d/VoeCvYTFlozvQ0kcpoGcnJ0dnYrbz7xRNZcvk41LSEmflRceaWk
JteUgC0dW1bPILdBzt3Qvut+3+JK/GuDct/0uoRqn1WFTwcHCy1wcIWgbrAdlpTv
lQ+cmfzm3pMEI6S6OUSkzhFIkSN2Jf94SmCmxvBv5lWJw2Tc9zsP/wSDLEjjOQI0
XszqYJmdDUofBPTatHUc8Tx7CMyLtyQSCfac3IK4i3cBAY9hgvsSMS/GP55xY5Dd
/cn3p7UyG4AbwVvVGRlQF5+GeL+NDH9Qlz9qq4bKVR2NP4odKrxRP4lgFPIHLLLm
XTkqwLkvPXfvM9ih0OkdxaT7jfQP5sOw6LkjmA5DIptOHw1JZux6QdT5hOostn/x
WQdACY0jfqgEGRNtY9gbclAr5nWpB+7ziWO4SovEidveSsAE2ZAKmxwKFvCQ3GXk
dDMha/KWci98cznMSHvsusZmIpuVTPMr
=rv3X
-----END PGP SIGNATURE-----
pgpSOUo4PHV8I.pgp
Description: PGP signature
--- End Message ---
