Bug 2247040 (CVE-2023-41040)

Summary: CVE-2023-41040 GitPython: Blind local file inclusion
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, bbuckingham, bcourt, davidn, eglynn, ehelms, epacific, jburrell, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jsamir, jschluet, jsherril, jtanner, jweng, kaycoth, kshier, lhh, luizcosta, lzap, mabashia, mburns, mgarciac, mhulan, nmoumoul, nobody, nweather, orabin, osapryki, pcreech, pgrist, psegedy, rbobbitt, rchan, simaishi, smcdonal, stcannon, sthirugn, teagle, tfister, vkrizan, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: GitPython 3.1.37 Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in GitPython due to an input validation error when reading from the ".git" directory. This issue may allow a remote attacker to prepare a specially crafted ".git" file with directory traversal characters in file names and force the application to read these files from the local system, which can result in checking for the existence of a specific file on the system or allow a denial of service (DoS) attack.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2247049, 2247050, 2248699, 2248700, 2247046, 2247047, 2247048, 2248698, 2248701, 2248702, 2248734, 2249613    
Bug Blocks: 2247051    

Description Pedro Sampaio 2023-10-30 12:42:57 UTC
GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.

References:

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html

Comment 4 ybuenos 2023-11-08 13:25:18 UTC
Created GitPython tracking bugs for this issue:

Affects: epel-all [bug 2248699]
Affects: fedora-all [bug 2248698]
Affects: openstack-rdo [bug 2248700]


Created centpkg tracking bugs for this issue:

Affects: epel-7 [bug 2248701]


Created ndiscover-exo-2-fonts tracking bugs for this issue:

Affects: fedora-37 [bug 2248702]

Comment 8 errata-xmlrpc 2023-12-14 16:26:40 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:7851 https://access.redhat.com/errata/RHSA-2023:7851

Comment 9 errata-xmlrpc 2024-01-16 14:35:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0215 https://access.redhat.com/errata/RHSA-2024:0215

Comment 10 errata-xmlrpc 2024-01-16 14:36:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0190 https://access.redhat.com/errata/RHSA-2024:0190

Comment 11 errata-xmlrpc 2024-01-22 14:19:38 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:0322 https://access.redhat.com/errata/RHSA-2024:0322

Comment 12 errata-xmlrpc 2024-04-02 19:29:58 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640