Source: rust-gix-fs Version: 0.16.1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-gix-fs. CVE-2026-44471[0]: | gitoxide is an implementation of git written in Rust. Prior to | 0.21.1, a malicious tree can be constructed that will, when checked | out with gitoxide, permit writing an attacker-controlled symlink | into any existing directory the user has write access to. During | checkout, all symlink index entries are deferred and created after | regular files using a single shared gix_worktree::Stack. Internally, | this uses a gix_fs::Stack. | gix_fs::Stack::make_relative_path_current() caches validated path | prefixes: when the previously-processed leaf component exactly | matches the leading component(s) of the next path, the leaf-to- | directory transition at gix-fs/src/stack.rs invokes only | delegate.push_directory(), never delegate.push(). In | gix_worktree::stack::delegate::StackDelegate, when the state member | is State::CreateDirectoryAndAttributesStack, | Attributes::push_directory() only loads attributes (from the ODB, in | the clone case), and does not perform any other checks. The on-disk | symlink_metadata() check and unlink-on-collision live in | StackDelegate::push()'s invocation of create_leading_directory(), | which is therefore bypassed for the cached prefix. The final symlink | is created with plain std::os::unix::fs::symlink, which follows | symlinks in parent directories. Therefore, it's possible to provide | a tree with duplicate symlink and directory entries that exploits | this. This vulnerability is fixed in 0.21.1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44471 https://www.cve.org/CVERecord?id=CVE-2026-44471 [1] https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f89h-2fjh-2r9q Please adjust the affected versions in the BTS as needed. Regards, Salvatore
