Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 884623 (CVE-2022-24439)

Summary: <dev-python/GitPython-3.1.30: code execution via crafted input to Repo.clone_from
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/gitpython-developers/GitPython/issues/1515
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 889040    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-06 21:19:47 UTC 
CVE-2022-24439 (https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858):

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

There's another reference which is 404: https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249

There's an upstream report at URL, no reference to that report in the
Snyk report though. No fix yet.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 20:31:31 UTC 
"No fix is planned, and this issue is triaged as 'help wanted'."
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 20:33:50 UTC 
Honestly?  I hate this horror of a package and I'd love to see it gone.  Unfortunately, it has a bunch of revdeps...
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-30 21:23:37 UTC 
3.1.30 is released according to the issue at URL, and is pushed to PyPI.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-31 07:49:11 UTC 
Thanks!
Comment 5 Larry the Git Cow gentoo-dev 2023-11-01 12:21:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c77ebbf690aa9db206075b255adc3de59632bb55

commit c77ebbf690aa9db206075b255adc3de59632bb55
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-11-01 12:20:26 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-11-01 12:21:08 +0000

    [ GLSA 202311-01 ] GitPython: Code Execution via Crafted Input
    
    Bug: https://bugs.gentoo.org/884623
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202311-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)