Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-45405 (GCVE-0-2024-45405)
Vulnerability from cvelistv5 – Published: 2024-09-06 13:10 – Updated: 2024-09-06 14:10
VLAI
EPSS
Title
gix-path improperly resolves configuration path reported by Git
Summary
`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.
In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.
On a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.
Severity
6 (Medium)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Byron/gitoxide/security/adviso… | x_refsource_CONFIRM |
| https://github.com/Byron/gitoxide/commit/650a1b5c… | x_refsource_MISC |
| https://github.com/Byron/gitoxide/blob/1cfe577d46… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "gitoxide",
"vendor": "byron",
"versions": [
{
"lessThan": "0.10.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T14:05:27.484858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T14:10:03.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gitoxide",
"vendor": "Byron",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-41",
"description": "CWE-41: Improper Resolution of Path Equivalence",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427: Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T13:10:31.602Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7"
},
{
"name": "https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031"
},
{
"name": "https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142"
}
],
"source": {
"advisory": "GHSA-m8rp-vv92-46c7",
"discovery": "UNKNOWN"
},
"title": "gix-path improperly resolves configuration path reported by Git"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45405",
"datePublished": "2024-09-06T13:10:31.602Z",
"dateReserved": "2024-08-28T20:21:32.804Z",
"dateUpdated": "2024-09-06T14:10:03.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-45405",
"date": "2026-05-29",
"epss": "0.00072",
"percentile": "0.2214"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45405\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-06T13:15:05.830\",\"lastModified\":\"2024-09-06T16:46:26.830\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\\n\\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\\n\\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.\"},{\"lang\":\"es\",\"value\":\"`gix-path` es un paquete del proyecto `gitoxide` (una implementaci\u00f3n de `git` escrita en Rust) que se ocupa de rutas y sus conversiones. Antes de la versi\u00f3n 0.10.11, `gix-path` ejecuta `git` para encontrar la ruta de un archivo de configuraci\u00f3n asociado con la instalaci\u00f3n de `git`, pero resuelve incorrectamente las rutas que contienen caracteres inusuales o que no son ASCII, lo que en casos excepcionales permite que un atacante local inyecte una configuraci\u00f3n que lleve a la ejecuci\u00f3n del c\u00f3digo. La versi\u00f3n 0.10.11 contiene un parche para el problema. En `gix_path::env`, la implementaci\u00f3n subyacente de las funciones `installation_config` e `installation_config_prefix` llama a `git config -l --show-origin` para encontrar la ruta de un archivo que se tratar\u00e1 como perteneciente a la instalaci\u00f3n de `git`. Las versiones afectadas de `gix-path` no pasan `-z`/`--null` para hacer que `git` informe las rutas literales. En cambio, para cubrir el caso ocasional en el que `git` genera una ruta entre comillas, intentan analizar la ruta quitando las comillas. El problema es que, cuando se entrecomilla una ruta, puede cambiar de manera sustancial m\u00e1s all\u00e1 de la concatenaci\u00f3n de comillas. Si no se revierten, estos cambios pueden dar como resultado otra ruta v\u00e1lida que no sea equivalente a la original. En un sistema de un solo usuario, no es posible explotar esto, a menos que `GIT_CONFIG_SYSTEM` y `GIT_CONFIG_GLOBAL` se hayan configurado con valores inusuales o Git se haya instalado de una manera inusual. Tal escenario no se espera. La explotaci\u00f3n es poco probable incluso en un sistema multiusuario, aunque es plausible en algunas configuraciones o casos de uso poco comunes. En general, es m\u00e1s probable que la explotaci\u00f3n tenga \u00e9xito si se espera que los usuarios instalen `git` ellos mismos, y es probable que lo hagan en ubicaciones predecibles; las ubicaciones donde est\u00e1 instalado `git`, ya sea debido a nombres de usuario en sus rutas o por cualquier otro motivo, contienen caracteres que `git` cita de forma predeterminada en las rutas, como letras que no est\u00e1n en ingl\u00e9s y letras acentuadas; se especifica un archivo de configuraci\u00f3n personalizado de \u00e1mbito `system` con la variable de entorno `GIT_CONFIG_SYSTEM`, y su ruta est\u00e1 en una ubicaci\u00f3n inusual o tiene componentes con nombres extra\u00f1os; o un archivo de configuraci\u00f3n de \u00e1mbito `system` est\u00e1 ausente, vac\u00edo o suprimido por medios distintos a `GIT_CONFIG_NOSYSTEM`. Actualmente, `gix-path` puede tratar un archivo de configuraci\u00f3n de \u00e1mbito `global` como perteneciente a la instalaci\u00f3n si no hay disponible un archivo de configuraci\u00f3n de \u00e1mbito superior. Esto aumenta la probabilidad de explotaci\u00f3n incluso en un sistema donde `git` est\u00e1 instalado en todo el sistema de forma normal. Sin embargo, se espera que la explotaci\u00f3n sea muy dif\u00edcil incluso bajo cualquier combinaci\u00f3n de esos factores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-41\"},{\"lang\":\"en\",\"value\":\"CWE-427\"}]}],\"references\":[{\"url\":\"https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45405\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-06T14:05:27.484858Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:byron:gitoxide:*:*:*:*:*:*:*:*\"], \"vendor\": \"byron\", \"product\": \"gitoxide\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.10.11\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-06T14:09:50.688Z\"}}], \"cna\": {\"title\": \"gix-path improperly resolves configuration path reported by Git\", \"source\": {\"advisory\": \"GHSA-m8rp-vv92-46c7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Byron\", \"product\": \"gitoxide\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.10.11\"}]}], \"references\": [{\"url\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7\", \"name\": \"https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031\", \"name\": \"https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142\", \"name\": \"https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\\n\\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\\n\\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-41\", \"description\": \"CWE-41: Improper Resolution of Path Equivalence\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-427\", \"description\": \"CWE-427: Uncontrolled Search Path Element\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-06T13:10:31.602Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45405\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-06T14:10:03.214Z\", \"dateReserved\": \"2024-08-28T20:21:32.804Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-06T13:10:31.602Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2024-45405
Vulnerability from fkie_nvd - Published: 2024-09-06 13:15 - Updated: 2026-04-15 00:35
Severity
Summary
`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.
In `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.
On a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors."
},
{
"lang": "es",
"value": "`gix-path` es un paquete del proyecto `gitoxide` (una implementaci\u00f3n de `git` escrita en Rust) que se ocupa de rutas y sus conversiones. Antes de la versi\u00f3n 0.10.11, `gix-path` ejecuta `git` para encontrar la ruta de un archivo de configuraci\u00f3n asociado con la instalaci\u00f3n de `git`, pero resuelve incorrectamente las rutas que contienen caracteres inusuales o que no son ASCII, lo que en casos excepcionales permite que un atacante local inyecte una configuraci\u00f3n que lleve a la ejecuci\u00f3n del c\u00f3digo. La versi\u00f3n 0.10.11 contiene un parche para el problema. En `gix_path::env`, la implementaci\u00f3n subyacente de las funciones `installation_config` e `installation_config_prefix` llama a `git config -l --show-origin` para encontrar la ruta de un archivo que se tratar\u00e1 como perteneciente a la instalaci\u00f3n de `git`. Las versiones afectadas de `gix-path` no pasan `-z`/`--null` para hacer que `git` informe las rutas literales. En cambio, para cubrir el caso ocasional en el que `git` genera una ruta entre comillas, intentan analizar la ruta quitando las comillas. El problema es que, cuando se entrecomilla una ruta, puede cambiar de manera sustancial m\u00e1s all\u00e1 de la concatenaci\u00f3n de comillas. Si no se revierten, estos cambios pueden dar como resultado otra ruta v\u00e1lida que no sea equivalente a la original. En un sistema de un solo usuario, no es posible explotar esto, a menos que `GIT_CONFIG_SYSTEM` y `GIT_CONFIG_GLOBAL` se hayan configurado con valores inusuales o Git se haya instalado de una manera inusual. Tal escenario no se espera. La explotaci\u00f3n es poco probable incluso en un sistema multiusuario, aunque es plausible en algunas configuraciones o casos de uso poco comunes. En general, es m\u00e1s probable que la explotaci\u00f3n tenga \u00e9xito si se espera que los usuarios instalen `git` ellos mismos, y es probable que lo hagan en ubicaciones predecibles; las ubicaciones donde est\u00e1 instalado `git`, ya sea debido a nombres de usuario en sus rutas o por cualquier otro motivo, contienen caracteres que `git` cita de forma predeterminada en las rutas, como letras que no est\u00e1n en ingl\u00e9s y letras acentuadas; se especifica un archivo de configuraci\u00f3n personalizado de \u00e1mbito `system` con la variable de entorno `GIT_CONFIG_SYSTEM`, y su ruta est\u00e1 en una ubicaci\u00f3n inusual o tiene componentes con nombres extra\u00f1os; o un archivo de configuraci\u00f3n de \u00e1mbito `system` est\u00e1 ausente, vac\u00edo o suprimido por medios distintos a `GIT_CONFIG_NOSYSTEM`. Actualmente, `gix-path` puede tratar un archivo de configuraci\u00f3n de \u00e1mbito `global` como perteneciente a la instalaci\u00f3n si no hay disponible un archivo de configuraci\u00f3n de \u00e1mbito superior. Esto aumenta la probabilidad de explotaci\u00f3n incluso en un sistema donde `git` est\u00e1 instalado en todo el sistema de forma normal. Sin embargo, se espera que la explotaci\u00f3n sea muy dif\u00edcil incluso bajo cualquier combinaci\u00f3n de esos factores."
}
],
"id": "CVE-2024-45405",
"lastModified": "2026-04-15T00:35:42.020",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-09-06T13:15:05.830",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-41"
},
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-M8RP-VV92-46C7
Vulnerability from github – Published: 2024-09-06 19:55 – Updated: 2024-09-18 22:48
VLAI
Summary
gix-path improperly resolves configuration path reported by Git
Details
Summary
gix-path runs git to find the path of a configuration file associated with the git installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution.
Details
In gix_path::env, the underlying implementation of the installation_config and installation_config_prefix functions calls git config -l --show-origin to find the path of a file to treat as belonging to the git installation.
Affected versions of gix-path do not pass -z/--null to cause git to report literal paths (650a1b5). Instead, to cover the occasional case that git outputs a quoted path, they attempt to parse the path by stripping the quotation marks:
https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142
The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.
This is not limited to paths with unusual characters such as quotation marks or newlines. Unless git is explicitly configured with core.quotePath set to false, it also happens when the path contains most non-ASCII characters, including accented or non-English letters. For example, é is transformed to \303\251, with literal backslashes. (This is an octal representation of the bytes in its UTF-8 encoding. This behavior is not limited to systems that encode paths with UTF-8 on disk.)
Rarely, the configuration file gix-path wrongly attempts to open can be created by an attacker who has a limited user account on the system. The attacker would often need to request an account username tailored to carrying out the attack.
PoC
Quick demonstration on Unix
On a Unix-like system in which Git supports no higher scope than system for configuration variables (i.e., not on macOS with Apple Git), in a locale that supports UTF-8, with gitoxide installed, run:
mkdir myrepo
cd myrepo
git init
printf '[real]\n\trealvar = realval\n' > 'é'
printf '[fake]\n\tfakevar = fakeval\n' > '\303\251'
GIT_CONFIG_SYSTEM='é' gix config
If the above conditions are satisfied and the gix command was built against an affected version of gix-path, then the last command's output looks something like this:
# From '\303\251' (GitInstallation)
[fake]
fakevar = fakeval
# From 'é' (System)
[real]
realvar = realval
# From '/home/ubuntu/.gitconfig' (User)
[init]
defaultBranch = main
# From './.git/config' (Local)
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
```
#### Demonstration across user accounts on Windows
On a test system running Windows on which Git for Windows is *not* installed system-wide—resembling a scenario in which users who wish to use Git are expected to install it themselves for their accounts—create two accounts, with these usernames:
- *Renée*, the target of the attack. This user may be a limited user or an administrator. Its user profile directory is assumed to be `C:\Users\Renée`.
- *Ren*, the user who carries out the attack. This user should be a limited user, since an administrator would not need to exploit this vulnerability to inject configuration. Its user profile directory is assumed to be `C:\Users\Ren`.
As *Ren*, run these commands in PowerShell:
```powershell
$d = "$HOME\303\251e\AppData\Local\Programs\Git\etc"
mkdir $d
git config --file $d\gitconfig core.sshCommand calc.exe
icacls $HOME\303 /grant 'Renée:(RX)' /T
(The gitconfig file can instead be written manually, in which case Ren need not have git.)
As Renée:
- Install Git for Windows in the default location for non-systemwide installations, which for that user account is inside
C:\Users\Renée\AppData\Local\Programs. For a non-administrative installation, Git for Windows will pick this location automatically. Allow the installer to place the directory containinggitin the user'sPATH, as it does by default.
(The scenario can be modified for any location the attacker can predict. So, for example, Renée can install Git for Windows with scoop, and Ren could carry out the attack with correspondingly modified path components in place of AppData\Local\Programs\Git.)
-
Install
gitoxideusing any common technique, such as by installing Rust and then runningcargo install gitoxide. -
Open a PowerShell window and run a
gixcommand that attempts to run the SSH client for transport. For example:pwsh gix clone ssh://localhost/myrepo.gitAt least one, and usually two, instances of the Windows calculator will pop up. This happens because
calc.exewas configured in the fake configuration file the user Ren was able to cause to be used, by placing it at the locationgix-pathwrongly resolved the path of Renée's own configuration file to.
The gitconfig file written by the attacker can be adjusted with an arbitrary choice of payload, or to set other configuration variables.
Impact
On a single-user system, it is not possible to exploit this, unless GIT_CONFIG_SYSTEM and GIT_CONFIG_GLOBAL have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected.
Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. It is especially unlikely with Apple Git on macOS, due to its very high scoped configuration in /Library or /Applications that would be detected instead, as in CVE-2024-45305.
The likelihood of exploitation may be higher on Windows, where attacks such as those shown in the Windows proof-of-concept above can be performed due to the status of \ as a directory separator, and where there is no restriction on usernames containing accented or non-English letters (though the latter is also permitted on some other systems). Even then, complex user interaction is required. In most cases, a system administrator would have to approve an innocuous-seeming username, and then the targeted user (who could be the same or a different user) would have to use an application that uses gix-path.
In general, exploitation is more likely to succeed if at least one of the following applies:
- Users are expected to install
gitthemselves, and are likely to do so in predictable locations. - Locations where
gitis installed, whether due to usernames in their paths or otherwise, contain characters thatgitquotes by default in paths, such as non-English letters and accented letters. - A custom
system-scope configuration file is specified with theGIT_CONFIG_SYSTEMenvironment variable, and its path is in an unusual location or has strangely named components. - A
system-scope configuration file is absent, empty, or suppressed by means other thanGIT_CONFIG_NOSYSTEM. Currently,gix-pathcan treat aglobal-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system wheregitis installed system-wide in an ordinary way.
However, exploitation is expected to be very difficult even under any combination of those factors.
Although the effect here is similar to CVE-2022-24765 once exploited, a greater degree of user interaction would usually be required, and the attack complexity here is much higher because the necessary conditions are uncommon and challenging to predict.
Severity
6.0 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.10.10"
},
"package": {
"ecosystem": "crates.io",
"name": "gix-path"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45405"
],
"database_specific": {
"cwe_ids": [
"CWE-41"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-06T19:55:24Z",
"nvd_published_at": "2024-09-06T13:15:05Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution.\n\n### Details\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation.\n\nAffected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths ([`650a1b5`](https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031)). Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks:\n\nhttps://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142\n\nThe problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nThis is not limited to paths with unusual characters such as quotation marks or newlines. Unless `git` is explicitly configured with `core.quotePath` set to `false`, it also happens when the path contains most non-ASCII characters, including accented or non-English letters. For example, `\u00e9` is transformed to `\\303\\251`, with literal backslashes. (This is an octal representation of the bytes in its UTF-8 encoding. This behavior is not limited to systems that encode paths with UTF-8 on disk.)\n\nRarely, the configuration file `gix-path` wrongly attempts to open can be created by an attacker who has a limited user account on the system. The attacker would often need to request an account username tailored to carrying out the attack.\n\n### PoC\n\n#### Quick demonstration on Unix\n\nOn a Unix-like system in which Git supports no higher scope than `system` for configuration variables (i.e., not on macOS with Apple Git), in a locale that supports UTF-8, with `gitoxide` installed, run:\n\n```sh\nmkdir myrepo\ncd myrepo\ngit init\nprintf \u0027[real]\\n\\trealvar = realval\\n\u0027 \u003e \u0027\u00e9\u0027\nprintf \u0027[fake]\\n\\tfakevar = fakeval\\n\u0027 \u003e \u0027\\303\\251\u0027\nGIT_CONFIG_SYSTEM=\u0027\u00e9\u0027 gix config\n```\n\nIf the above conditions are satisfied and the `gix` command was built against an affected version of `gix-path`, then the last command\u0027s output looks something like this:\n\n```text\n# From \u0027\\303\\251\u0027 (GitInstallation)\n[fake]\n fakevar = fakeval\n\n# From \u0027\u00e9\u0027 (System)\n[real]\n realvar = realval\n\n# From \u0027/home/ubuntu/.gitconfig\u0027 (User)\n[init]\n defaultBranch = main\n\n# From \u0027./.git/config\u0027 (Local)\n[core]\n repositoryformatversion = 0\n filemode = true\n bare = false\n logallrefupdates = true\n ```\n\n#### Demonstration across user accounts on Windows\n\nOn a test system running Windows on which Git for Windows is *not* installed system-wide\u2014resembling a scenario in which users who wish to use Git are expected to install it themselves for their accounts\u2014create two accounts, with these usernames:\n\n- *Ren\u00e9e*, the target of the attack. This user may be a limited user or an administrator. Its user profile directory is assumed to be `C:\\Users\\Ren\u00e9e`.\n- *Ren*, the user who carries out the attack. This user should be a limited user, since an administrator would not need to exploit this vulnerability to inject configuration. Its user profile directory is assumed to be `C:\\Users\\Ren`.\n\nAs *Ren*, run these commands in PowerShell:\n\n```powershell\n$d = \"$HOME\\303\\251e\\AppData\\Local\\Programs\\Git\\etc\"\nmkdir $d\ngit config --file $d\\gitconfig core.sshCommand calc.exe\nicacls $HOME\\303 /grant \u0027Ren\u00e9e:(RX)\u0027 /T\n```\n\n(The `gitconfig` file can instead be written manually, in which case *Ren* need not have `git`.)\n\nAs *Ren\u00e9e*:\n\n1. Install Git for Windows in the default location for non-systemwide installations, which for that user account is inside `C:\\Users\\Ren\u00e9e\\AppData\\Local\\Programs`. For a non-administrative installation, Git for Windows will pick this location automatically. Allow the installer to place the directory containing `git` in the user\u0027s `PATH`, as it does by default.\n\n (The scenario can be modified for any location the attacker can predict. So, for example, *Ren\u00e9e* can install Git for Windows with [`scoop`](https://scoop.sh/), and *Ren* could carry out the attack with correspondingly modified path components in place of `AppData\\Local\\Programs\\Git`.)\n \n 2. Install `gitoxide` using any common technique, such as by [installing Rust](https://www.rust-lang.org/tools/install) and then running `cargo install gitoxide`.\n\n3. Open a PowerShell window and run a `gix` command that attempts to run the SSH client for transport. For example:\n\n ```pwsh\n gix clone ssh://localhost/myrepo.git\n ```\n \n At least one, and usually two, instances of the Windows calculator will pop up. This happens because `calc.exe` was configured in the fake configuration file the user *Ren* was able to cause to be used, by placing it at the location `gix-path` wrongly resolved the path of *Ren\u00e9e*\u0027s own configuration file to.\n \n The `gitconfig` file written by the attacker can be adjusted with an arbitrary choice of payload, or to set other configuration variables.\n\n### Impact\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected.\n\nExploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. It is especially unlikely with Apple Git on macOS, due to its very high scoped configuration in `/Library` or `/Applications` that would be detected instead, as in CVE-2024-45305.\n\nThe likelihood of exploitation may be higher on Windows, where attacks such as those shown in the Windows proof-of-concept above can be performed due to the status of `\\` as a directory separator, and where there is no restriction on usernames containing accented or non-English letters (though the latter is also permitted on some other systems). Even then, complex user interaction is required. In most cases, a system administrator would have to approve an innocuous-seeming username, and then the targeted user (who could be the same or a different user) would have to use an application that uses `gix-path`.\n\nIn general, exploitation is more likely to succeed if at least one of the following applies:\n\n- Users are expected to install `git` themselves, and are likely to do so in predictable locations.\n- Locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters.\n- A custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components.\n- A `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way.\n\nHowever, exploitation is expected to be very difficult even under any combination of those factors.\n\nAlthough the effect here is similar to [CVE-2022-24765](https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2) once exploited, a greater degree of user interaction would usually be required, and the attack complexity here is much higher because the necessary conditions are uncommon and challenging to predict.",
"id": "GHSA-m8rp-vv92-46c7",
"modified": "2024-09-18T22:48:07Z",
"published": "2024-09-06T19:55:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45405"
},
{
"type": "WEB",
"url": "https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031"
},
{
"type": "PACKAGE",
"url": "https://github.com/Byron/gitoxide"
},
{
"type": "WEB",
"url": "https://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0371.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "gix-path improperly resolves configuration path reported by Git"
}
OPENSUSE-SU-2024:14353-1
Vulnerability from csaf_opensuse - Published: 2024-09-20 00:00 - Updated: 2024-09-20 00:00Summary
onefetch-2.22.0-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: onefetch-2.22.0-1.1 on GA media
Description of the patch: These are all security issues fixed in the onefetch-2.22.0-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14353
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:onefetch-2.22.0-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:onefetch-2.22.0-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:onefetch-2.22.0-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:onefetch-2.22.0-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "onefetch-2.22.0-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the onefetch-2.22.0-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14353",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14353-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14353-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J72XLMYXKFWH3FBV6MJODSD6GR7RG3VT/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14353-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/J72XLMYXKFWH3FBV6MJODSD6GR7RG3VT/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45405 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45405/"
}
],
"title": "onefetch-2.22.0-1.1 on GA media",
"tracking": {
"current_release_date": "2024-09-20T00:00:00Z",
"generator": {
"date": "2024-09-20T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14353-1",
"initial_release_date": "2024-09-20T00:00:00Z",
"revision_history": [
{
"date": "2024-09-20T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "onefetch-2.22.0-1.1.aarch64",
"product": {
"name": "onefetch-2.22.0-1.1.aarch64",
"product_id": "onefetch-2.22.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "onefetch-2.22.0-1.1.ppc64le",
"product": {
"name": "onefetch-2.22.0-1.1.ppc64le",
"product_id": "onefetch-2.22.0-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "onefetch-2.22.0-1.1.s390x",
"product": {
"name": "onefetch-2.22.0-1.1.s390x",
"product_id": "onefetch-2.22.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "onefetch-2.22.0-1.1.x86_64",
"product": {
"name": "onefetch-2.22.0-1.1.x86_64",
"product_id": "onefetch-2.22.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "onefetch-2.22.0-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:onefetch-2.22.0-1.1.aarch64"
},
"product_reference": "onefetch-2.22.0-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "onefetch-2.22.0-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:onefetch-2.22.0-1.1.ppc64le"
},
"product_reference": "onefetch-2.22.0-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "onefetch-2.22.0-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:onefetch-2.22.0-1.1.s390x"
},
"product_reference": "onefetch-2.22.0-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "onefetch-2.22.0-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:onefetch-2.22.0-1.1.x86_64"
},
"product_reference": "onefetch-2.22.0-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45405",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45405"
}
],
"notes": [
{
"category": "general",
"text": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.aarch64",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.s390x",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45405",
"url": "https://www.suse.com/security/cve/CVE-2024-45405"
},
{
"category": "external",
"summary": "SUSE Bug 1230682 for CVE-2024-45405",
"url": "https://bugzilla.suse.com/1230682"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.aarch64",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.s390x",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.aarch64",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.ppc64le",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.s390x",
"openSUSE Tumbleweed:onefetch-2.22.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45405"
}
]
}
OPENSUSE-SU-2024:14355-1
Vulnerability from csaf_opensuse - Published: 2024-09-20 00:00 - Updated: 2024-09-20 00:00Summary
stgit-2.4.12-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: stgit-2.4.12-1.1 on GA media
Description of the patch: These are all security issues fixed in the stgit-2.4.12-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14355
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.6 (Medium)
Affected products
Recommended
24 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:stgit-2.4.12-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-2.4.12-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-2.4.12-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-2.4.12-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "stgit-2.4.12-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the stgit-2.4.12-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14355",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14355-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14355-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BSEETUGLLWE2LBDZK4YETKJXSIBBHJ5L/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14355-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BSEETUGLLWE2LBDZK4YETKJXSIBBHJ5L/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45405 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45405/"
}
],
"title": "stgit-2.4.12-1.1 on GA media",
"tracking": {
"current_release_date": "2024-09-20T00:00:00Z",
"generator": {
"date": "2024-09-20T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14355-1",
"initial_release_date": "2024-09-20T00:00:00Z",
"revision_history": [
{
"date": "2024-09-20T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "stgit-2.4.12-1.1.aarch64",
"product": {
"name": "stgit-2.4.12-1.1.aarch64",
"product_id": "stgit-2.4.12-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "stgit-bash-completion-2.4.12-1.1.aarch64",
"product": {
"name": "stgit-bash-completion-2.4.12-1.1.aarch64",
"product_id": "stgit-bash-completion-2.4.12-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "stgit-emacs-2.4.12-1.1.aarch64",
"product": {
"name": "stgit-emacs-2.4.12-1.1.aarch64",
"product_id": "stgit-emacs-2.4.12-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "stgit-fish-completion-2.4.12-1.1.aarch64",
"product": {
"name": "stgit-fish-completion-2.4.12-1.1.aarch64",
"product_id": "stgit-fish-completion-2.4.12-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "stgit-vim-plugin-2.4.12-1.1.aarch64",
"product": {
"name": "stgit-vim-plugin-2.4.12-1.1.aarch64",
"product_id": "stgit-vim-plugin-2.4.12-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "stgit-zsh-completion-2.4.12-1.1.aarch64",
"product": {
"name": "stgit-zsh-completion-2.4.12-1.1.aarch64",
"product_id": "stgit-zsh-completion-2.4.12-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "stgit-2.4.12-1.1.ppc64le",
"product": {
"name": "stgit-2.4.12-1.1.ppc64le",
"product_id": "stgit-2.4.12-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "stgit-bash-completion-2.4.12-1.1.ppc64le",
"product": {
"name": "stgit-bash-completion-2.4.12-1.1.ppc64le",
"product_id": "stgit-bash-completion-2.4.12-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "stgit-emacs-2.4.12-1.1.ppc64le",
"product": {
"name": "stgit-emacs-2.4.12-1.1.ppc64le",
"product_id": "stgit-emacs-2.4.12-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "stgit-fish-completion-2.4.12-1.1.ppc64le",
"product": {
"name": "stgit-fish-completion-2.4.12-1.1.ppc64le",
"product_id": "stgit-fish-completion-2.4.12-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "stgit-vim-plugin-2.4.12-1.1.ppc64le",
"product": {
"name": "stgit-vim-plugin-2.4.12-1.1.ppc64le",
"product_id": "stgit-vim-plugin-2.4.12-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "stgit-zsh-completion-2.4.12-1.1.ppc64le",
"product": {
"name": "stgit-zsh-completion-2.4.12-1.1.ppc64le",
"product_id": "stgit-zsh-completion-2.4.12-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "stgit-2.4.12-1.1.s390x",
"product": {
"name": "stgit-2.4.12-1.1.s390x",
"product_id": "stgit-2.4.12-1.1.s390x"
}
},
{
"category": "product_version",
"name": "stgit-bash-completion-2.4.12-1.1.s390x",
"product": {
"name": "stgit-bash-completion-2.4.12-1.1.s390x",
"product_id": "stgit-bash-completion-2.4.12-1.1.s390x"
}
},
{
"category": "product_version",
"name": "stgit-emacs-2.4.12-1.1.s390x",
"product": {
"name": "stgit-emacs-2.4.12-1.1.s390x",
"product_id": "stgit-emacs-2.4.12-1.1.s390x"
}
},
{
"category": "product_version",
"name": "stgit-fish-completion-2.4.12-1.1.s390x",
"product": {
"name": "stgit-fish-completion-2.4.12-1.1.s390x",
"product_id": "stgit-fish-completion-2.4.12-1.1.s390x"
}
},
{
"category": "product_version",
"name": "stgit-vim-plugin-2.4.12-1.1.s390x",
"product": {
"name": "stgit-vim-plugin-2.4.12-1.1.s390x",
"product_id": "stgit-vim-plugin-2.4.12-1.1.s390x"
}
},
{
"category": "product_version",
"name": "stgit-zsh-completion-2.4.12-1.1.s390x",
"product": {
"name": "stgit-zsh-completion-2.4.12-1.1.s390x",
"product_id": "stgit-zsh-completion-2.4.12-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "stgit-2.4.12-1.1.x86_64",
"product": {
"name": "stgit-2.4.12-1.1.x86_64",
"product_id": "stgit-2.4.12-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "stgit-bash-completion-2.4.12-1.1.x86_64",
"product": {
"name": "stgit-bash-completion-2.4.12-1.1.x86_64",
"product_id": "stgit-bash-completion-2.4.12-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "stgit-emacs-2.4.12-1.1.x86_64",
"product": {
"name": "stgit-emacs-2.4.12-1.1.x86_64",
"product_id": "stgit-emacs-2.4.12-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "stgit-fish-completion-2.4.12-1.1.x86_64",
"product": {
"name": "stgit-fish-completion-2.4.12-1.1.x86_64",
"product_id": "stgit-fish-completion-2.4.12-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "stgit-vim-plugin-2.4.12-1.1.x86_64",
"product": {
"name": "stgit-vim-plugin-2.4.12-1.1.x86_64",
"product_id": "stgit-vim-plugin-2.4.12-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "stgit-zsh-completion-2.4.12-1.1.x86_64",
"product": {
"name": "stgit-zsh-completion-2.4.12-1.1.x86_64",
"product_id": "stgit-zsh-completion-2.4.12-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-2.4.12-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-2.4.12-1.1.aarch64"
},
"product_reference": "stgit-2.4.12-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-2.4.12-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-2.4.12-1.1.ppc64le"
},
"product_reference": "stgit-2.4.12-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-2.4.12-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-2.4.12-1.1.s390x"
},
"product_reference": "stgit-2.4.12-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-2.4.12-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-2.4.12-1.1.x86_64"
},
"product_reference": "stgit-2.4.12-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-bash-completion-2.4.12-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.aarch64"
},
"product_reference": "stgit-bash-completion-2.4.12-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-bash-completion-2.4.12-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.ppc64le"
},
"product_reference": "stgit-bash-completion-2.4.12-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-bash-completion-2.4.12-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.s390x"
},
"product_reference": "stgit-bash-completion-2.4.12-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-bash-completion-2.4.12-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.x86_64"
},
"product_reference": "stgit-bash-completion-2.4.12-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-emacs-2.4.12-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.aarch64"
},
"product_reference": "stgit-emacs-2.4.12-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-emacs-2.4.12-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.ppc64le"
},
"product_reference": "stgit-emacs-2.4.12-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-emacs-2.4.12-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.s390x"
},
"product_reference": "stgit-emacs-2.4.12-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-emacs-2.4.12-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.x86_64"
},
"product_reference": "stgit-emacs-2.4.12-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-fish-completion-2.4.12-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.aarch64"
},
"product_reference": "stgit-fish-completion-2.4.12-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-fish-completion-2.4.12-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.ppc64le"
},
"product_reference": "stgit-fish-completion-2.4.12-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-fish-completion-2.4.12-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.s390x"
},
"product_reference": "stgit-fish-completion-2.4.12-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-fish-completion-2.4.12-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.x86_64"
},
"product_reference": "stgit-fish-completion-2.4.12-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-vim-plugin-2.4.12-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.aarch64"
},
"product_reference": "stgit-vim-plugin-2.4.12-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-vim-plugin-2.4.12-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.ppc64le"
},
"product_reference": "stgit-vim-plugin-2.4.12-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-vim-plugin-2.4.12-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.s390x"
},
"product_reference": "stgit-vim-plugin-2.4.12-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-vim-plugin-2.4.12-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.x86_64"
},
"product_reference": "stgit-vim-plugin-2.4.12-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-zsh-completion-2.4.12-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.aarch64"
},
"product_reference": "stgit-zsh-completion-2.4.12-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-zsh-completion-2.4.12-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.ppc64le"
},
"product_reference": "stgit-zsh-completion-2.4.12-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-zsh-completion-2.4.12-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.s390x"
},
"product_reference": "stgit-zsh-completion-2.4.12-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "stgit-zsh-completion-2.4.12-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.x86_64"
},
"product_reference": "stgit-zsh-completion-2.4.12-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45405",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45405"
}
],
"notes": [
{
"category": "general",
"text": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:stgit-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45405",
"url": "https://www.suse.com/security/cve/CVE-2024-45405"
},
{
"category": "external",
"summary": "SUSE Bug 1230682 for CVE-2024-45405",
"url": "https://bugzilla.suse.com/1230682"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:stgit-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:stgit-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-bash-completion-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-emacs-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-fish-completion-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-vim-plugin-2.4.12-1.1.x86_64",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.aarch64",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.ppc64le",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.s390x",
"openSUSE Tumbleweed:stgit-zsh-completion-2.4.12-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-20T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45405"
}
]
}
OPENSUSE-SU-2024:14359-1
Vulnerability from csaf_opensuse - Published: 2024-09-22 00:00 - Updated: 2024-09-22 00:00Summary
cargo-c-0.10.3~git0.ee7d7ef-2.1 on GA media
Severity
Moderate
Notes
Title of the patch: cargo-c-0.10.3~git0.ee7d7ef-2.1 on GA media
Description of the patch: These are all security issues fixed in the cargo-c-0.10.3~git0.ee7d7ef-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14359
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cargo-c-0.10.3~git0.ee7d7ef-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cargo-c-0.10.3~git0.ee7d7ef-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14359",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14359-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14359-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5AVUCUB6WNWCNZHYEZ5APB4CRZVOO6E2/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14359-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5AVUCUB6WNWCNZHYEZ5APB4CRZVOO6E2/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45405 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45405/"
}
],
"title": "cargo-c-0.10.3~git0.ee7d7ef-2.1 on GA media",
"tracking": {
"current_release_date": "2024-09-22T00:00:00Z",
"generator": {
"date": "2024-09-22T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14359-1",
"initial_release_date": "2024-09-22T00:00:00Z",
"revision_history": [
{
"date": "2024-09-22T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45405",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45405"
}
],
"notes": [
{
"category": "general",
"text": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45405",
"url": "https://www.suse.com/security/cve/CVE-2024-45405"
},
{
"category": "external",
"summary": "SUSE Bug 1230682 for CVE-2024-45405",
"url": "https://bugzilla.suse.com/1230682"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.aarch64",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.ppc64le",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.s390x",
"openSUSE Tumbleweed:cargo-c-0.10.3~git0.ee7d7ef-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-22T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45405"
}
]
}
OPENSUSE-SU-2024:14363-1
Vulnerability from csaf_opensuse - Published: 2024-09-24 00:00 - Updated: 2024-09-24 00:00Summary
cargo-audit-0.20.0~git66.972ac93-3.1 on GA media
Severity
Moderate
Notes
Title of the patch: cargo-audit-0.20.0~git66.972ac93-3.1 on GA media
Description of the patch: These are all security issues fixed in the cargo-audit-0.20.0~git66.972ac93-3.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14363
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cargo-audit-0.20.0~git66.972ac93-3.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cargo-audit-0.20.0~git66.972ac93-3.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14363",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14363-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14363-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3YXNKMDTNPKPGPPJXCTWHI6RZ3NLYIJQ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14363-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3YXNKMDTNPKPGPPJXCTWHI6RZ3NLYIJQ/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45405 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45405/"
}
],
"title": "cargo-audit-0.20.0~git66.972ac93-3.1 on GA media",
"tracking": {
"current_release_date": "2024-09-24T00:00:00Z",
"generator": {
"date": "2024-09-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14363-1",
"initial_release_date": "2024-09-24T00:00:00Z",
"revision_history": [
{
"date": "2024-09-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.aarch64",
"product": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.aarch64",
"product_id": "cargo-audit-0.20.0~git66.972ac93-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le",
"product": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le",
"product_id": "cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.s390x",
"product": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.s390x",
"product_id": "cargo-audit-0.20.0~git66.972ac93-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.x86_64",
"product": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.x86_64",
"product_id": "cargo-audit-0.20.0~git66.972ac93-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.aarch64"
},
"product_reference": "cargo-audit-0.20.0~git66.972ac93-3.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le"
},
"product_reference": "cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.s390x"
},
"product_reference": "cargo-audit-0.20.0~git66.972ac93-3.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-audit-0.20.0~git66.972ac93-3.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.x86_64"
},
"product_reference": "cargo-audit-0.20.0~git66.972ac93-3.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45405",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45405"
}
],
"notes": [
{
"category": "general",
"text": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.aarch64",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.s390x",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45405",
"url": "https://www.suse.com/security/cve/CVE-2024-45405"
},
{
"category": "external",
"summary": "SUSE Bug 1230682 for CVE-2024-45405",
"url": "https://bugzilla.suse.com/1230682"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.aarch64",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.s390x",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.aarch64",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.ppc64le",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.s390x",
"openSUSE Tumbleweed:cargo-audit-0.20.0~git66.972ac93-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45405"
}
]
}
OPENSUSE-SU-2024:14364-1
Vulnerability from csaf_opensuse - Published: 2024-09-24 00:00 - Updated: 2024-09-24 00:00Summary
obs-service-cargo-1.3.6-5.1 on GA media
Severity
Moderate
Notes
Title of the patch: obs-service-cargo-1.3.6-5.1 on GA media
Description of the patch: These are all security issues fixed in the obs-service-cargo-1.3.6-5.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14364
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
7 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "obs-service-cargo-1.3.6-5.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the obs-service-cargo-1.3.6-5.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14364",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14364-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14364-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LZDU3FCKGOHMSOMAOARUXJ4KGV4XHUFC/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14364-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LZDU3FCKGOHMSOMAOARUXJ4KGV4XHUFC/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45405 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45405/"
}
],
"title": "obs-service-cargo-1.3.6-5.1 on GA media",
"tracking": {
"current_release_date": "2024-09-24T00:00:00Z",
"generator": {
"date": "2024-09-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14364-1",
"initial_release_date": "2024-09-24T00:00:00Z",
"revision_history": [
{
"date": "2024-09-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "obs-service-cargo-1.3.6-5.1.aarch64",
"product": {
"name": "obs-service-cargo-1.3.6-5.1.aarch64",
"product_id": "obs-service-cargo-1.3.6-5.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "obs-service-cargo-1.3.6-5.1.ppc64le",
"product": {
"name": "obs-service-cargo-1.3.6-5.1.ppc64le",
"product_id": "obs-service-cargo-1.3.6-5.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "obs-service-cargo-1.3.6-5.1.s390x",
"product": {
"name": "obs-service-cargo-1.3.6-5.1.s390x",
"product_id": "obs-service-cargo-1.3.6-5.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "obs-service-cargo-1.3.6-5.1.x86_64",
"product": {
"name": "obs-service-cargo-1.3.6-5.1.x86_64",
"product_id": "obs-service-cargo-1.3.6-5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-cargo-1.3.6-5.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.aarch64"
},
"product_reference": "obs-service-cargo-1.3.6-5.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-cargo-1.3.6-5.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.ppc64le"
},
"product_reference": "obs-service-cargo-1.3.6-5.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-cargo-1.3.6-5.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.s390x"
},
"product_reference": "obs-service-cargo-1.3.6-5.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "obs-service-cargo-1.3.6-5.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.x86_64"
},
"product_reference": "obs-service-cargo-1.3.6-5.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45405",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45405"
}
],
"notes": [
{
"category": "general",
"text": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45405",
"url": "https://www.suse.com/security/cve/CVE-2024-45405"
},
{
"category": "external",
"summary": "SUSE Bug 1230682 for CVE-2024-45405",
"url": "https://bugzilla.suse.com/1230682"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.aarch64",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.ppc64le",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.s390x",
"openSUSE Tumbleweed:obs-service-cargo-1.3.6-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-09-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-45405"
}
]
}
rustsec-2024-0371
Vulnerability from osv_rustsec
Published
2024-09-06 12:00
Modified
2024-09-07 01:48
Summary
gix-path improperly resolves configuration path reported by Git
Details
Summary
gix-path runs git to find the path of a configuration file associated with the git installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution.
Details
In gix_path::env, the underlying implementation of the installation_config and installation_config_prefix functions calls git config -l --show-origin to find the path of a file to treat as belonging to the git installation.
Affected versions of gix-path do not pass -z/--null to cause git to report literal paths (650a1b5). Instead, to cover the occasional case that git outputs a quoted path, they attempt to parse the path by stripping the quotation marks:
The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.
This is not limited to paths with unusual characters such as quotation marks or newlines. Unless git is explicitly configured with core.quotePath set to false, it also happens when the path contains most non-ASCII characters, including accented or non-English letters. For example, é is transformed to \303\251, with literal backslashes. (This is an octal representation of the bytes in its UTF-8 encoding. This behavior is not limited to systems that encode paths with UTF-8 on disk.)
Rarely, the configuration file gix-path wrongly attempts to open can be created by an attacker who has a limited user account on the system. The attacker would often need to request an account username tailored to carrying out the attack.
PoC
Quick demonstration on Unix
On a Unix-like system in which Git supports no higher scope than system for configuration variables (i.e., not on macOS with Apple Git), in a locale that supports UTF-8, with gitoxide installed, run:
mkdir myrepo
cd myrepo
git init
printf '[real]\n\trealvar = realval\n' > 'é'
printf '[fake]\n\tfakevar = fakeval\n' > '\303\251'
GIT_CONFIG_SYSTEM='é' gix config
If the above conditions are satisfied and the gix command was built against an affected version of gix-path, then the last command's output looks something like this:
# From '\303\251' (GitInstallation)
[fake]
fakevar = fakeval
# From 'é' (System)
[real]
realvar = realval
# From '/home/ubuntu/.gitconfig' (User)
[init]
defaultBranch = main
# From './.git/config' (Local)
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
Demonstration across user accounts on Windows
On a test system running Windows on which Git for Windows is not installed system-wide—resembling a scenario in which users who wish to use Git are expected to install it themselves for their accounts—create two accounts, with these usernames:
- Renée, the target of the attack. This user may be a limited user or an administrator. Its user profile directory is assumed to be
C:\Users\Renée. - Ren, the user who carries out the attack. This user should be a limited user, since an administrator would not need to exploit this vulnerability to inject configuration. Its user profile directory is assumed to be
C:\Users\Ren.
As Ren, run these commands in PowerShell:
$d = "$HOME\303\251e\AppData\Local\Programs\Git\etc"
mkdir $d
git config --file $d\gitconfig core.sshCommand calc.exe
icacls $HOME\303 /grant 'Renée:(RX)' /T
(The gitconfig file can instead be written manually, in which case Ren need not have git.)
As Renée:
- Install Git for Windows in the default location for non-systemwide installations, which for that user account is inside
C:\Users\Renée\AppData\Local\Programs. For a non-administrative installation, Git for Windows will pick this location automatically. Allow the installer to place the directory containinggitin the user'sPATH, as it does by default.
(The scenario can be modified for any location the attacker can predict. So, for example, Renée can install Git for Windows with scoop, and Ren could carry out the attack with correspondingly modified path components in place of AppData\Local\Programs\Git.)
-
Install
gitoxideusing any common technique, such as by installing Rust and then runningcargo install gitoxide. -
Open a PowerShell window and run a
gixcommand that attempts to run the SSH client for transport. For example:
pwsh
gix clone ssh://localhost/myrepo.git
At least one, and usually two, instances of the Windows calculator will pop up. This happens because calc.exe was configured in the fake configuration file the user Ren was able to cause to be used, by placing it at the location gix-path wrongly resolved the path of Renée's own configuration file to.
The gitconfig file written by the attacker can be adjusted with an arbitrary choice of payload, or to set other configuration variables.
Impact
On a single-user system, it is not possible to exploit this, unless GIT_CONFIG_SYSTEM and GIT_CONFIG_GLOBAL have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected.
Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. It is especially unlikely with Apple Git on macOS, due to its very high scoped configuration in /Library or /Applications that would be detected instead, as in CVE-2024-45305.
The likelihood of exploitation may be higher on Windows, where attacks such as those shown in the Windows proof-of-concept above can be performed due to the status of \ as a directory separator, and where there is no restriction on usernames containing accented or non-English letters (though the latter is also permitted on some other systems). Even then, complex user interaction is required. In most cases, a system administrator would have to approve an innocuous-seeming username, and then the targeted user (who could be the same or a different user) would have to use an application that uses gix-path.
In general, exploitation is more likely to succeed if at least one of the following applies:
- Users are expected to install
gitthemselves, and are likely to do so in predictable locations. - Locations where
gitis installed, whether due to usernames in their paths or otherwise, contain characters thatgitquotes by default in paths, such as non-English letters and accented letters. - A custom
system-scope configuration file is specified with theGIT_CONFIG_SYSTEMenvironment variable, and its path is in an unusual location or has strangely named components. - A
system-scope configuration file is absent, empty, or suppressed by means other thanGIT_CONFIG_NOSYSTEM. Currently,gix-pathcan treat aglobal-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system wheregitis installed system-wide in an ordinary way.
However, exploitation is expected to be very difficult even under any combination of those factors.
Although the effect here is similar to CVE-2022-24765 once exploited, a greater degree of user interaction would usually be required, and the attack complexity here is much higher because the necessary conditions are uncommon and challenging to predict.
Severity
6.0 (Medium)
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"categories": [
"code-execution",
"privilege-escalation"
],
"cvss": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [
"gix_path::env::installation_config",
"gix_path::env::installation_config_prefix"
],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "gix-path",
"purl": "pkg:cargo/gix-path"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.10.11"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"CVE-2024-45405",
"GHSA-m8rp-vv92-46c7"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "### Summary\n\n`gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution.\n\n### Details\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation.\n\nAffected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths ([`650a1b5`](https://github.com/Byron/gitoxide/commit/650a1b5cf25e086197cc55a68525a411e1c28031)). Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks:\n\n\u003chttps://github.com/Byron/gitoxide/blob/1cfe577d461293879e91538dbc4bbfe01722e1e8/gix-path/src/env/git/mod.rs#L138-L142\u003e\n\nThe problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nThis is not limited to paths with unusual characters such as quotation marks or newlines. Unless `git` is explicitly configured with `core.quotePath` set to `false`, it also happens when the path contains most non-ASCII characters, including accented or non-English letters. For example, `\u00e9` is transformed to `\\303\\251`, with literal backslashes. (This is an octal representation of the bytes in its UTF-8 encoding. This behavior is not limited to systems that encode paths with UTF-8 on disk.)\n\nRarely, the configuration file `gix-path` wrongly attempts to open can be created by an attacker who has a limited user account on the system. The attacker would often need to request an account username tailored to carrying out the attack.\n\n### PoC\n\n#### Quick demonstration on Unix\n\nOn a Unix-like system in which Git supports no higher scope than `system` for configuration variables (i.e., not on macOS with Apple Git), in a locale that supports UTF-8, with `gitoxide` installed, run:\n\n```sh\nmkdir myrepo\ncd myrepo\ngit init\nprintf \u0027[real]\\n\\trealvar = realval\\n\u0027 \u003e \u0027\u00e9\u0027\nprintf \u0027[fake]\\n\\tfakevar = fakeval\\n\u0027 \u003e \u0027\\303\\251\u0027\nGIT_CONFIG_SYSTEM=\u0027\u00e9\u0027 gix config\n```\n\nIf the above conditions are satisfied and the `gix` command was built against an affected version of `gix-path`, then the last command\u0027s output looks something like this:\n\n```text\n# From \u0027\\303\\251\u0027 (GitInstallation)\n[fake]\n fakevar = fakeval\n\n# From \u0027\u00e9\u0027 (System)\n[real]\n realvar = realval\n\n# From \u0027/home/ubuntu/.gitconfig\u0027 (User)\n[init]\n defaultBranch = main\n\n# From \u0027./.git/config\u0027 (Local)\n[core]\n repositoryformatversion = 0\n filemode = true\n bare = false\n logallrefupdates = true\n```\n\n#### Demonstration across user accounts on Windows\n\nOn a test system running Windows on which Git for Windows is *not* installed system-wide\u2014resembling a scenario in which users who wish to use Git are expected to install it themselves for their accounts\u2014create two accounts, with these usernames:\n\n- *Ren\u00e9e*, the target of the attack. This user may be a limited user or an administrator. Its user profile directory is assumed to be `C:\\Users\\Ren\u00e9e`.\n- *Ren*, the user who carries out the attack. This user should be a limited user, since an administrator would not need to exploit this vulnerability to inject configuration. Its user profile directory is assumed to be `C:\\Users\\Ren`.\n\nAs *Ren*, run these commands in PowerShell:\n\n```powershell\n$d = \"$HOME\\303\\251e\\AppData\\Local\\Programs\\Git\\etc\"\nmkdir $d\ngit config --file $d\\gitconfig core.sshCommand calc.exe\nicacls $HOME\\303 /grant \u0027Ren\u00e9e:(RX)\u0027 /T\n```\n\n(The `gitconfig` file can instead be written manually, in which case *Ren* need not have `git`.)\n\nAs *Ren\u00e9e*:\n\n1. Install Git for Windows in the default location for non-systemwide installations, which for that user account is inside `C:\\Users\\Ren\u00e9e\\AppData\\Local\\Programs`. For a non-administrative installation, Git for Windows will pick this location automatically. Allow the installer to place the directory containing `git` in the user\u0027s `PATH`, as it does by default.\n\n (The scenario can be modified for any location the attacker can predict. So, for example, *Ren\u00e9e* can install Git for Windows with [`scoop`](https://scoop.sh/), and *Ren* could carry out the attack with correspondingly modified path components in place of `AppData\\Local\\Programs\\Git`.)\n\n2. Install `gitoxide` using any common technique, such as by [installing Rust](https://www.rust-lang.org/tools/install) and then running `cargo install gitoxide`.\n\n3. Open a PowerShell window and run a `gix` command that attempts to run the SSH client for transport. For example:\n\n ```pwsh\n gix clone ssh://localhost/myrepo.git\n ```\n\n At least one, and usually two, instances of the Windows calculator will pop up. This happens because `calc.exe` was configured in the fake configuration file the user *Ren* was able to cause to be used, by placing it at the location `gix-path` wrongly resolved the path of *Ren\u00e9e*\u0027s own configuration file to.\n\nThe `gitconfig` file written by the attacker can be adjusted with an arbitrary choice of payload, or to set other configuration variables.\n\n### Impact\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected.\n\nExploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. It is especially unlikely with Apple Git on macOS, due to its very high scoped configuration in `/Library` or `/Applications` that would be detected instead, as in [CVE-2024-45305](https://github.com/advisories/GHSA-v26r-4c9c-h3j6).\n\nThe likelihood of exploitation may be higher on Windows, where attacks such as those shown in the Windows proof-of-concept above can be performed due to the status of `\\` as a directory separator, and where there is no restriction on usernames containing accented or non-English letters (though the latter is also permitted on some other systems). Even then, complex user interaction is required. In most cases, a system administrator would have to approve an innocuous-seeming username, and then the targeted user (who could be the same or a different user) would have to use an application that uses `gix-path`.\n\nIn general, exploitation is more likely to succeed if at least one of the following applies:\n\n- Users are expected to install `git` themselves, and are likely to do so in predictable locations.\n- Locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters.\n- A custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components.\n- A `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way.\n\nHowever, exploitation is expected to be very difficult even under any combination of those factors.\n\nAlthough the effect here is similar to [CVE-2022-24765](https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2) once exploited, a greater degree of user interaction would usually be required, and the attack complexity here is much higher because the necessary conditions are uncommon and challenging to predict.",
"id": "RUSTSEC-2024-0371",
"modified": "2024-09-07T01:48:33Z",
"published": "2024-09-06T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/gix-path"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2024-0371.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/Byron/gitoxide/security/advisories/GHSA-m8rp-vv92-46c7"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m8rp-vv92-46c7"
}
],
"related": [],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "gix-path improperly resolves configuration path reported by Git"
}
SUSE-SU-2024:3748-1
Vulnerability from csaf_suse - Published: 2024-10-23 11:33 - Updated: 2024-10-23 11:33Summary
Security update for cargo-c
Severity
Moderate
Notes
Title of the patch: Security update for cargo-c
Description of the patch: This update for cargo-c fixes the following issues:
Security fixes:
- CVE-2024-45405: Fixed gix-path improper path resolution (bsc#1230683)
Other fixes:
- Update to version 0.10.3~git0.ee7d7ef:
Patchnames: SUSE-2024-3748,openSUSE-SLE-15.6-2024-3748
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.6 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for cargo-c",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for cargo-c fixes the following issues:\n\nSecurity fixes:\n\n- CVE-2024-45405: Fixed gix-path improper path resolution (bsc#1230683)\n\nOther fixes:\n\n- Update to version 0.10.3~git0.ee7d7ef:\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-3748,openSUSE-SLE-15.6-2024-3748",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3748-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:3748-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20243748-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:3748-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019669.html"
},
{
"category": "self",
"summary": "SUSE Bug 1230683",
"url": "https://bugzilla.suse.com/1230683"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45405 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45405/"
}
],
"title": "Security update for cargo-c",
"tracking": {
"current_release_date": "2024-10-23T11:33:35Z",
"generator": {
"date": "2024-10-23T11:33:35Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:3748-1",
"initial_release_date": "2024-10-23T11:33:35Z",
"revision_history": [
{
"date": "2024-10-23T11:33:35Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.i586",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.i586",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64",
"product": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64",
"product_id": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x",
"relates_to_product_reference": "openSUSE Leap 15.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64 as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64"
},
"product_reference": "cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45405",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45405"
}
],
"notes": [
{
"category": "general",
"text": "`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` installation, but improperly resolves paths containing unusual or non-ASCII characters, in rare cases enabling a local attacker to inject configuration leading to code execution. Version 0.10.11 contains a patch for the issue.\n\nIn `gix_path::env`, the underlying implementation of the `installation_config` and `installation_config_prefix` functions calls `git config -l --show-origin` to find the path of a file to treat as belonging to the `git` installation. Affected versions of `gix-path` do not pass `-z`/`--null` to cause `git` to report literal paths. Instead, to cover the occasional case that `git` outputs a quoted path, they attempt to parse the path by stripping the quotation marks. The problem is that, when a path is quoted, it may change in substantial ways beyond the concatenation of quotation marks. If not reversed, these changes can result in another valid path that is not equivalent to the original.\n\nOn a single-user system, it is not possible to exploit this, unless `GIT_CONFIG_SYSTEM` and `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been installed in an unusual way. Such a scenario is not expected. Exploitation is unlikely even on a multi-user system, though it is plausible in some uncommon configurations or use cases. In general, exploitation is more likely to succeed if users are expected to install `git` themselves, and are likely to do so in predictable locations; locations where `git` is installed, whether due to usernames in their paths or otherwise, contain characters that `git` quotes by default in paths, such as non-English letters and accented letters; a custom `system`-scope configuration file is specified with the `GIT_CONFIG_SYSTEM` environment variable, and its path is in an unusual location or has strangely named components; or a `system`-scope configuration file is absent, empty, or suppressed by means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can treat a `global`-scope configuration file as belonging to the installation if no higher scope configuration file is available. This increases the likelihood of exploitation even on a system where `git` is installed system-wide in an ordinary way. However, exploitation is expected to be very difficult even under any combination of those factors.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45405",
"url": "https://www.suse.com/security/cve/CVE-2024-45405"
},
{
"category": "external",
"summary": "SUSE Bug 1230682 for CVE-2024-45405",
"url": "https://bugzilla.suse.com/1230682"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.aarch64",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.ppc64le",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.s390x",
"openSUSE Leap 15.6:cargo-c-0.10.3~git0.ee7d7ef-150600.3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-10-23T11:33:35Z",
"details": "moderate"
}
],
"title": "CVE-2024-45405"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…