GHSA-rrjw-j4m2-mf34

Source

https://github.com/advisories/GHSA-rrjw-j4m2-mf34

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rrjw-j4m2-mf34/GHSA-rrjw-j4m2-mf34.json

Published

2023-09-25T20:21:16Z

Modified

2023-09-25T20:21:16Z

Details

The gix-transport crate prior to the patched version 0.36.1 would allow attackers to use malicious ssh clone URLs to pass arbitrary arguments to the ssh program, leading to arbitrary code execution.

PoC: gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'

This will launch a calculator on OSX.

See https://secure.phabricator.com/T12961 for more details on similar vulnerabilities in git.

References

https://github.com/Byron/gitoxide/pull/1032
https://github.com/Byron/gitoxide
https://rustsec.org/advisories/RUSTSEC-2023-0064.html
https://secure.phabricator.com/T12961

Affected packages

crates.io / gix-transport

Package

Name: gix-transport

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.36.1