EliahKagan
commented
3 months ago I made a mistake in copying some of the Markdown, which linting has fortunately caught. I'll fix that in a couple of minutes. I think I've fixed that now.
Closed EliahKagan closed 2 months ago
EliahKagan
commented
3 months ago I made a mistake in copying some of the Markdown, which linting has fortunately caught. I'll fix that in a couple of minutes. I think I've fixed that now.
This adds notices for the Windows device name handling vulnerability CVE-2024-35197 (https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9). This is a separate vulnerability from the one that #1996 is about—and I cannot open a single PR for both because they both have
RUSTSEC-0000-0000.mdfiles in two of the same locations until IDs are assigned—but it is likewise discussed in https://github.com/Byron/gitoxide/discussions/1437 (cc @Byron).The advisory text (long description) is what I wrote for https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9 and is essentially the same as in the global advisory. This is analogous to the situation in #1996, albeit for different advisories/vulnerabilities. Both there and here, it is and has always been my intention that this text be dedicated to the public domain (with CC0).
Some of the same considerations there apply here as well, such as the possible need to create multiple RUSTSEC advisories since multiple crates are affected in a way that is not fully independent. However, here there is another factor:
gix-refis affected in a very different way from the other crates.That is because this vulnerability has two clearly distinct aspects, or variants: the effect on references, which causes
gix-refto be a directly affected crate; and the effect on paths, which is wholly independent ofgix-refand which the advisory text describes behaviorally in terms ofgix-worktree-state, but for which I consider the primary affected crates to begix-indexandgix-worktree.This bifurcation may justify altering the RUSTSEC advisory text so that the different affected crates are described differently, with one long description for
gix-refthat covers only the effect on references, and a separate long description forgix-indexandgix-worktreethat covers only the effect on paths. I am unsure if this is justified, but if so then I would be pleased to make that change. Unlike most advisory text changes, this would not require a corresponding change in the repo-local or global GHSA advisory text (since those notices would still need to combine the two aspects of the vulnerability into one description).I wasn't sure what, if anything, to put here for
categoriesorkeywords. Although I'd prefer to list a category if one is clearly correct, I'm not sure any properly applies for this or most CWE-67 vulnerabilities. (Few such vulnerabilities seem to have been reported in recent years; it looks like this one is the only one in GHSA.) A possible impact is denial of service, either by disrupting interaction with external devices, or by writing a large amount of text to a terminal. But I don't think DoS is the main concern for this vulnerability. For now I have not listed any categories.