1225024 – (CVE-2024-35197) VUL-0: CVE-2024-35197: gitoxide: refs and paths with reserved Windows device names access the devices

Bug 1225024 (CVE-2024-35197) - VUL-0: CVE-2024-35197: gitoxide: refs and paths with reserved Windows device names access the devices

Summary: VUL-0: CVE-2024-35197: gitoxide: refs and paths with reserved Windows device ...

Status:	RESOLVED FIXED

Alias:	CVE-2024-35197

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/407404/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-05-22 14:32 UTC by Camila Camargo de Matos
Modified:	2024-05-23 11:07 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Camila Camargo de Matos 2024-05-22 14:32:43 UTC

On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.

References:
https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35197