Bug 2498479 - CVE-2026-42305 python-dulwich: Dulwich: Remote Code Execution via Malicious Git Repository [fedora-all]
Summary: CVE-2026-42305 python-dulwich: Dulwich: Remote Code Execution via Malicious G...
Keywords:
Status: ON_QA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-dulwich
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["70d80ad3-a8cf-4763-be08-7...
Depends On:
Blocks: 2487758
TreeView+ depends on / blocked
 
Reported: 2026-07-09 11:55 UTC by Marian Rehak
Modified: 2026-07-12 01:11 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Marian Rehak 2026-07-09 11:55:14 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.

Comment 1 Fedora Update System 2026-07-10 13:53:45 UTC
FEDORA-2026-fbd55e52fb (python-dulwich-1.2.9-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-fbd55e52fb

Comment 2 Fedora Update System 2026-07-11 01:34:14 UTC
FEDORA-2026-fbd55e52fb has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-fbd55e52fb`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-fbd55e52fb

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2026-07-12 01:11:47 UTC
FEDORA-2026-fbd55e52fb (python-dulwich-1.2.9-1.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.