Bug 1225024 (CVE-2024-35197)

Summary: VUL-0: CVE-2024-35197: gitoxide: refs and paths with reserved Windows device names access the devices
Product: [openSUSE] openSUSE Distribution Reporter: Camila Camargo de Matos <camila.matos>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/407404/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Camila Camargo de Matos 2024-05-22 14:32:43 UTC 
On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.

References:
https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35197