Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-5968-1

Ubuntu Security Notice 5968-1 - It was discovered that GitPython did not properly sanitize user inputs for remote URLs in the clone command. By injecting a maliciously crafted remote URL, an attacker could possibly use this issue to execute arbitrary commands on the host.

Packet Storm
#vulnerability#ubuntu#git#perl

==========================================================================
Ubuntu Security Notice USN-5968-1
March 22, 2023

python-git vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.10
  • Ubuntu 22.04 ESM
  • Ubuntu 20.04 ESM
  • Ubuntu 18.04 ESM
  • Ubuntu 16.04 ESM
  • Ubuntu 14.04 ESM

Summary:

GitPython could me made to execute arbitrary commands on the host.

Software Description:

  • python-git: Python library to interact with Git repositories

Details:

It was discovered that GitPython did not properly sanitize user inputs for
remote URLs in the clone command. By injecting a maliciously crafted
remote URL, an attacker could possibly use this issue to execute arbitrary
commands on the host.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
python3-git 3.1.27-1ubuntu0.1

Ubuntu 22.04 ESM:
python3-git 3.1.24-1ubuntu0.1~esm1

Ubuntu 20.04 ESM:
python3-git 3.0.7-1ubuntu0.1~esm1

Ubuntu 18.04 ESM:
python-git 2.1.8-1ubuntu0.1~esm1
python3-git 2.1.8-1ubuntu0.1~esm1

Ubuntu 16.04 ESM:
python-git 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1
python3-git 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1

Ubuntu 14.04 ESM:
python-git 0.3.2~RC1-3ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5968-1
CVE-2022-24439

Package Information:
https://launchpad.net/ubuntu/+source/python-git/3.1.27-1ubuntu0.1

Related news

Gentoo Linux Security Advisory 202311-01

Gentoo Linux Security Advisory 202311-1 - A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution. Versions greater than or equal to 3.1.30 are affected.

Red Hat Security Advisory 2023-5931-01

Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.

GHSA-hcpj-qp55-gfph: GitPython vulnerable to Remote Code Execution due to improper user input validation

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

CVE-2022-24439: Snyk Vulnerability Database | Snyk

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution