Bug 2247040 (CVE-2023-41040) - CVE-2023-41040 GitPython: Blind local file inclusion
Summary: CVE-2023-41040 GitPython: Blind local file inclusion
Keywords:
Status: NEW
Alias: CVE-2023-41040
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2247049 2247050 2248699 2248700 2247046 2247047 2247048 2248698 2248701 2248702 2248734 2249613
Blocks: 2247051
TreeView+ depends on / blocked
 
Reported: 2023-10-30 12:42 UTC by Pedro Sampaio
Modified: 2024-04-02 19:30 UTC (History)
47 users (show)

Fixed In Version: GitPython 3.1.37
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in GitPython due to an input validation error when reading from the ".git" directory. This issue may allow a remote attacker to prepare a specially crafted ".git" file with directory traversal characters in file names and force the application to read these files from the local system, which can result in checking for the existence of a specific file on the system or allow a denial of service (DoS) attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7851 0 None None None 2023-12-14 16:26:44 UTC
Red Hat Product Errata RHSA-2024:0190 0 None None None 2024-01-16 14:36:15 UTC
Red Hat Product Errata RHSA-2024:0215 0 None None None 2024-01-16 14:35:46 UTC
Red Hat Product Errata RHSA-2024:0322 0 None None None 2024-01-22 14:19:41 UTC
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:02 UTC

Description Pedro Sampaio 2023-10-30 12:42:57 UTC 
GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.

References:

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c
https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175
https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html
Comment 4 ybuenos 2023-11-08 13:25:18 UTC 
Created GitPython tracking bugs for this issue:

Affects: epel-all [bug 2248699]
Affects: fedora-all [bug 2248698]
Affects: openstack-rdo [bug 2248700]


Created centpkg tracking bugs for this issue:

Affects: epel-7 [bug 2248701]


Created ndiscover-exo-2-fonts tracking bugs for this issue:

Affects: fedora-37 [bug 2248702]
Comment 8 errata-xmlrpc 2023-12-14 16:26:40 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:7851 https://access.redhat.com/errata/RHSA-2023:7851
Comment 9 errata-xmlrpc 2024-01-16 14:35:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0215 https://access.redhat.com/errata/RHSA-2024:0215
Comment 10 errata-xmlrpc 2024-01-16 14:36:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1

Via RHSA-2024:0190 https://access.redhat.com/errata/RHSA-2024:0190
Comment 11 errata-xmlrpc 2024-01-22 14:19:38 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:0322 https://access.redhat.com/errata/RHSA-2024:0322
Comment 12 errata-xmlrpc 2024-04-02 19:29:58 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Note You need to log in before you can comment on or make changes to this bug.