[Pkg-rust-maintainers] Bug#1077542: rust-gix-worktree: CVE-2024-35186
Moritz Mühlenhoff
jmm at inutil.org
Mon Jul 29 20:28:43 BST 2024
Source: rust-gix-worktree
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for rust-gix-worktree.
CVE-2024-35186[0]:
| gitoxide is a pure Rust implementation of Git. During checkout,
| `gix-worktree-state` does not verify that paths point to locations
| in the working tree. A specially crafted repository can, when
| cloned, place new files anywhere writable by the application. This
| vulnerability leads to a major loss of confidentiality, integrity,
| and availability, but creating files outside a working tree without
| attempting to execute code can directly impact integrity as well.
| This vulnerability has been patched in version(s) 0.36.0.
https://rustsec.org/advisories/RUSTSEC-2024-0349.html
https://github.com/advisories/GHSA-7w47-3wg8-547c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-35186
https://www.cve.org/CVERecord?id=CVE-2024-35186
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-rust-maintainers
mailing list