1225023 – (CVE-2024-35186) VUL-0: CVE-2024-35186: gitoxide: traversal outside working tree enables arbitrary code execution

Bug 1225023 (CVE-2024-35186) - VUL-0: CVE-2024-35186: gitoxide: traversal outside working tree enables arbitrary code execution

Summary: VUL-0: CVE-2024-35186: gitoxide: traversal outside working tree enables arbit...

Status:	RESOLVED FIXED

Alias:	CVE-2024-35186

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/407401/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-05-22 14:28 UTC by Camila Camargo de Matos
Modified:	2024-05-23 11:04 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Camila Camargo de Matos 2024-05-22 14:28:40 UTC

During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.

References:
https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35186