116 lines
9.7 KiB
XML
116 lines
9.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2023-1628</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2023-09-15</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2023-09-15</InitialReleaseDate>
|
|
<CurrentReleaseDate>2023-09-15</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2023-09-15</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">python-GitPython security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">**GitPython*is a python library used to interact with Git repositories.GitPython provides object model read and write access to your git repository. Access repository information conveniently, alter the index directly, handle remotes, or go down to low-level object database access with big-files support.With the new object database abstraction added in 0.3, its even possible to implement your own storage mechanisms, the currently available implementations are 'cgit' and pure python, which is the default.Documentation The latest documentation can be found here: As this version of GitPython depends on GitDB, which in turn needs smmap to work, installation is a bit more involved if you do a manual installation, instead of using pip.
|
|
|
|
Security Fix(es):
|
|
|
|
GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.(CVE-2023-41040)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2.
|
|
|
|
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">python-GitPython</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1628</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-41040</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-41040</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">openEuler-22.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">openEuler-22.03-LTS-SP2</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="python3-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-GitPython-3.1.32-2.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-help-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-GitPython-help-3.1.32-2.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python3-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">python3-GitPython-3.1.32-2.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-help-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">python-GitPython-help-3.1.32-2.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-help-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">python-GitPython-help-3.1.32-2.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python3-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">python3-GitPython-3.1.32-2.oe2203.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-help-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">python-GitPython-help-3.1.32-2.oe2203sp1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python3-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">python3-GitPython-3.1.32-2.oe2203sp1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-help-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">python-GitPython-help-3.1.32-2.oe2203sp2.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="python3-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">python3-GitPython-3.1.32-2.oe2203sp2.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="python-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python-GitPython-3.1.32-2.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">python-GitPython-3.1.32-2.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">python-GitPython-3.1.32-2.oe2203.src.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">python-GitPython-3.1.32-2.oe2203sp1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="python-GitPython-3.1.32-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP2">python-GitPython-3.1.32-2.oe2203sp2.src.rpm</FullProductName>
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn t check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2023-09-15</ReleaseDate>
|
|
<CVE>CVE-2023-41040</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-22.03-LTS-SP2</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>6.5</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>python-GitPython security update</Description>
|
|
<DATE>2023-09-15</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1628</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |