Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 884623 (CVE-2022-24439) - <dev-python/GitPython-3.1.30: code execution via crafted input to Repo.clone_from
Summary: <dev-python/GitPython-3.1.30: code execution via crafted input to Repo.clone_...
Status: RESOLVED FIXED
Alias: CVE-2022-24439
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/gitpython-develope...
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 889040
Blocks:
  Show dependency tree
 
Reported: 2022-12-06 21:19 UTC by John Helmert III
Modified: 2023-11-01 12:22 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-06 21:19:47 UTC
CVE-2022-24439 (https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858):

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

There's another reference which is 404: https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249

There's an upstream report at URL, no reference to that report in the
Snyk report though. No fix yet.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 20:31:31 UTC
"No fix is planned, and this issue is triaged as 'help wanted'."
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 20:33:50 UTC
Honestly?  I hate this horror of a package and I'd love to see it gone.  Unfortunately, it has a bunch of revdeps...
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 21:23:37 UTC
3.1.30 is released according to the issue at URL, and is pushed to PyPI.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-31 07:49:11 UTC
Thanks!
Comment 5 Larry the Git Cow gentoo-dev 2023-11-01 12:21:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c77ebbf690aa9db206075b255adc3de59632bb55

commit c77ebbf690aa9db206075b255adc3de59632bb55
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-01 12:20:26 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-01 12:21:08 +0000

    [ GLSA 202311-01 ] GitPython: Code Execution via Crafted Input
    
    Bug: https://bugs.gentoo.org/884623
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)