[Security] Bump gitpython from 3.1.32 to 3.1.33
Bumps gitpython from 3.1.32 to 3.1.33. This update includes security fixes.
Vulnerabilities fixed
GitPython untrusted search path on Windows systems leading to arbitrary code execution
Summary
When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning in https://docs.python.org/3/library/subprocess.html#popen-constructor). GitPython defaults to use the
gitcommand, if a user runs GitPython from a repo has agit.exeorgitexecutable, that program will be run instead of the one in the user'sPATH.Details
This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo.
The execution of the
gitcommand happens inAnd there are other commands executed that should probably be aware of this problem.
PoC
On a Windows system, create a
git.exeorgitexecutable in any directory, and import or run GitPython from that directory
... (truncated)
Patched versions: none Affected versions: <= 3.1.32
Blind local file inclusion
Summary
In order to resolve some git references, GitPython reads files from the
.gitdirectory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the.gitdirectory. This allows an attacker to make GitPython read any file from the system.Details
This vulnerability is present in
That code joins the base directory with a user given string without checking if the final path is located outside the base directory.
I was able to exploit it from three places, but there may be more code paths that lead to it:
... (truncated)
Patched versions: none Affected versions: <= 3.1.32
Release notes
Sourced from gitpython's releases.
v3.1.33 - with security fix
What's Changed
- WIP Quick doc by
@LeoDaCodain gitpython-developers/GitPython#1608- Partial clean up wrt mypy and black by
@bodograumannin gitpython-developers/GitPython#1617- Disable merge_includes in config writers by
@bodograumannin gitpython-developers/GitPython#1618- feat: full typing for "progress" parameter in Repo class by
@madebylydiain gitpython-developers/GitPython#1634- Fix CVE-2023-40590 by
@EliahKaganin gitpython-developers/GitPython#1636- #1566 Creating a lock now uses python built-in "open()" method to work arou… by
@HageMaster3108in gitpython-developers/GitPython#1619New Contributors
@LeoDaCodamade their first contribution in gitpython-developers/GitPython#1608@bodograumannmade their first contribution in gitpython-developers/GitPython#1617@EliahKaganmade their first contribution in gitpython-developers/GitPython#1636@HageMaster3108made their first contribution in gitpython-developers/GitPython#1619Full Changelog: https://github.com/gitpython-developers/GitPython/compare/3.1.32...3.1.33
Commits
-
993f045prepare for next release -
a1c472bMerge pull request #1619 from HageMaster3108/bugfix/use-python-builtin-open-m... -
70924c4Skip now permanently failing test with note on how to fix it -
8b75434Merge pull request #1636 from EliahKagan/cve-2023-40590 -
7611cd9Don't check form of version number -
94e0fb0Add a unit test for CVE-2023-40590 -
6029211Fix CVE-2023-40590 -
e19abe7Merge pull request #1634 from madebylydia/main -
9f74c05feat: full typing for "progress" parameter -
186c1aeCreating a lock now uses python built-in "open()" method to work around docke... - Additional commits viewable in compare view