[Pkg-rust-maintainers] Bug#1077541: rust-gix-index: CVE-2024-35186

Moritz Mühlenhoff jmm at inutil.org
Mon Jul 29 20:28:11 BST 2024


Source: rust-gix-index
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for rust-gix-index.

CVE-2024-35186[0]:
| gitoxide is a pure Rust implementation of Git. During checkout,
| `gix-worktree-state` does not verify that paths point to locations
| in the working tree. A specially crafted repository can, when
| cloned, place new files anywhere writable by the application. This
| vulnerability leads to a major loss of confidentiality, integrity,
| and availability, but creating files outside a working tree without
| attempting to execute code can directly impact integrity as well.
| This vulnerability has been patched in version(s) 0.36.0.

https://rustsec.org/advisories/RUSTSEC-2024-0348.html
https://github.com/advisories/GHSA-7w47-3wg8-547c

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-35186
    https://www.cve.org/CVERecord?id=CVE-2024-35186

Please adjust the affected versions in the BTS as needed.



More information about the Pkg-rust-maintainers mailing list