Skip to content

[Security] Bump gitpython from 3.1.32 to 3.1.33

HIFIS Bot requested to merge dependabot-pip-gitpython-3.1.33 into master

Bumps gitpython from 3.1.32 to 3.1.33. This update includes security fixes.

Vulnerabilities fixed

GitPython untrusted search path on Windows systems leading to arbitrary code execution

Summary

When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH.

Details

This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.

The execution of the git command happens in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L277

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/cmd.py#L983-L996

And there are other commands executed that should probably be aware of this problem.

PoC

On a Windows system, create a git.exe or git executable in any directory, and import or run GitPython from that directory

... (truncated)

Patched versions: none Affected versions: <= 3.1.32

Blind local file inclusion

Summary

In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system.

Details

This vulnerability is present in

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175

That code joins the base directory with a user given string without checking if the final path is located outside the base directory.

I was able to exploit it from three places, but there may be more code paths that lead to it:

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L605

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/repo/base.py#L620

https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/index/base.py#L1353

... (truncated)

Patched versions: none Affected versions: <= 3.1.32

Release notes

Sourced from gitpython's releases.

v3.1.33 - with security fix

What's Changed

New Contributors

Full Changelog: https://github.com/gitpython-developers/GitPython/compare/3.1.32...3.1.33

Commits
  • 993f045 prepare for next release
  • a1c472b Merge pull request #1619 from HageMaster3108/bugfix/use-python-builtin-open-m...
  • 70924c4 Skip now permanently failing test with note on how to fix it
  • 8b75434 Merge pull request #1636 from EliahKagan/cve-2023-40590
  • 7611cd9 Don't check form of version number
  • 94e0fb0 Add a unit test for CVE-2023-40590
  • 6029211 Fix CVE-2023-40590
  • e19abe7 Merge pull request #1634 from madebylydia/main
  • 9f74c05 feat: full typing for "progress" parameter
  • 186c1ae Creating a lock now uses python built-in "open()" method to work around docke...
  • Additional commits viewable in compare view

Merge request reports

Loading