[Pkg-rust-maintainers] Bug#1082055: rust-gix-path: CVE-2024-45405

[Moritz Mühlenhoff]

Source: rust-gix-path
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for rust-gix-path.

CVE-2024-45405[0]:
| `gix-path` is a crate of the `gitoxide` project (an implementation
| of `git` written in Rust) dealing paths and their conversions. Prior
| to version 0.10.11, `gix-path` runs `git` to find the path of a
| configuration file associated with the `git` installation, but
| improperly resolves paths containing unusual or non-ASCII
| characters, in rare cases enabling a local attacker to inject
| configuration leading to code execution. Version 0.10.11 contains a
| patch for the issue.  In `gix_path::env`, the underlying
| implementation of the `installation_config` and
| `installation_config_prefix` functions calls `git config -l --show-
| origin` to find the path of a file to treat as belonging to the
| `git` installation. Affected versions of `gix-path` do not pass
| `-z`/`--null` to cause `git` to report literal paths. Instead, to
| cover the occasional case that `git` outputs a quoted path, they
| attempt to parse the path by stripping the quotation marks. The
| problem is that, when a path is quoted, it may change in substantial
| ways beyond the concatenation of quotation marks. If not reversed,
| these changes can result in another valid path that is not
| equivalent to the original.  On a single-user system, it is not
| possible to exploit this, unless `GIT_CONFIG_SYSTEM` and
| `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been
| installed in an unusual way. Such a scenario is not expected.
| Exploitation is unlikely even on a multi-user system, though it is
| plausible in some uncommon configurations or use cases. In general,
| exploitation is more likely to succeed if users are expected to
| install `git` themselves, and are likely to do so in predictable
| locations; locations where `git` is installed, whether due to
| usernames in their paths or otherwise, contain characters that `git`
| quotes by default in paths, such as non-English letters and accented
| letters; a custom `system`-scope configuration file is specified
| with the `GIT_CONFIG_SYSTEM` environment variable, and its path is
| in an unusual location or has strangely named components; or a
| `system`-scope configuration file is absent, empty, or suppressed by
| means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can
| treat a `global`-scope configuration file as belonging to the
| installation if no higher scope configuration file is available.
| This increases the likelihood of exploitation even on a system where
| `git` is installed system-wide in an ordinary way. However,
| exploitation is expected to be very difficult even under any
| combination of those factors.

https://github.com/advisories/GHSA-m8rp-vv92-46c7
https://rustsec.org/advisories/RUSTSEC-2024-0371.html
		

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-45405
    https://www.cve.org/CVERecord?id=CVE-2024-45405

Please adjust the affected versions in the BTS as needed.