Advisory for CVE-2025-22620 (chmod 777) in gix-worktree-state #2193
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This adds a notice for CVE-2025-22620 (GHSA-fqmf-w4xh-33rh) in `gix-worktree-state`.
|
Thank you! Yeah, unfortunately there is no way to express unix-ness still. Maybe we should add one with |
Shnatsel
reviewed
Jan 18, 2025
| license = "CC0-1.0" | ||
|
|
||
| [affected.functions] | ||
| "gix_worktree_state::checkout" = ["*"] |
There was a problem hiding this comment.
This should be patched = ["< 0.17.0"], which is admittedly a bit of a wart in the format. I'll fix this field.
There was a problem hiding this comment.
Thanks! I think I've done it this way (with "*") in some other RUSTSEC advisories as well--I vaguely recall there had been some kind of linting error when I had tried to do it differently, but I was probably doing it the wrong way (maybe the relational operator I was using was something other than <).
My guess is that "*" that I have written in other advisories may already have been fixed. But I'll check right now and, if any remain (and there is a fix, such that a specific upper bound is applicable), I'll open a PR to improve them.
There was a problem hiding this comment.
I've opened #2198 for this. It seems to lint okay.
|
Thanks! Should I list the Unix-like targets individually? Or is it better to leave it out? |
|
I think it's a good idea to list the unix-like targets. Since this PR is already merged, please open a new PR for that change. The advisory will not go live until we assign it an ID by merging #2194 |
|
Sounds good, I'll open a PR to list the OS targets very soon. Edit: I've opened #2196 for this. |
EliahKagan
added a commit
to EliahKagan/advisory-db
that referenced
this pull request
Jan 18, 2025
This builds on rustsec#2193 by listing all Unix-like target operating systems as affected (since a category of OSes like "unix" cannot currently be represented in RUSTSEC advisory metadata). The list was obtained by running the command given in: rustsec#1911 (comment) The vulnerability is specific to Unix-like operating systems because: - The vulnerable code runs only in the `unix` build configuration. - 0777 permissions are meaningful on such systems and (due to containing 0002) allow any user account on the system to write. Therefore, if there are any Unix-like systems where Unix-style filesystem permissions are not used, or that are *truly* single user (i.e. do not use multiple user accounts, not even for running daemons with limited privileges), then this vulnerability would not affect such systems. In addition, I have not attempted specifically to run the proof of concept for the vulnerability on most of the listed operating systems, nor examined whether `gix-worktree-state` might not be usable on some of them for reasons unrealted to this vulnerability. Conversely, if new target OSes are added in the future, and they are Unix-like, then they would probably be vulnerable, even though not listed here. (It may not be likely that anyone would be using an affected version of `gix-worktree-state` by that time, though.)
Shnatsel
pushed a commit
that referenced
this pull request
Jan 18, 2025
This builds on #2193 by listing all Unix-like target operating systems as affected (since a category of OSes like "unix" cannot currently be represented in RUSTSEC advisory metadata). The list was obtained by running the command given in: #1911 (comment) The vulnerability is specific to Unix-like operating systems because: - The vulnerable code runs only in the `unix` build configuration. - 0777 permissions are meaningful on such systems and (due to containing 0002) allow any user account on the system to write. Therefore, if there are any Unix-like systems where Unix-style filesystem permissions are not used, or that are *truly* single user (i.e. do not use multiple user accounts, not even for running daemons with limited privileges), then this vulnerability would not affect such systems. In addition, I have not attempted specifically to run the proof of concept for the vulnerability on most of the listed operating systems, nor examined whether `gix-worktree-state` might not be usable on some of them for reasons unrealted to this vulnerability. Conversely, if new target OSes are added in the future, and they are Unix-like, then they would probably be vulnerable, even though not listed here. (It may not be likely that anyone would be using an affected version of `gix-worktree-state` by that time, though.)
EliahKagan
added a commit
to EliahKagan/advisory-db
that referenced
this pull request
Jan 18, 2025
When including information about affected functions in advisory metadata, I have used `"*"` in a few advisories when the bounds were no narrower than the bounds for the vulnerability. But specific are still needed or preferred in that situation. This replaces `"*"` in those advisories with more specific bounds. (For rustsec#2193, this has already been done in rustsec#2195.) See discussion in: rustsec#2193 (review)
EliahKagan
added a commit
to EliahKagan/advisory-db
that referenced
this pull request
Jan 18, 2025
In rustsec#2193, the body text for RUSTSEC-2025-0001 (CVE-2025-22620) is from GHSA-fqmf-w4xh-33rh, and I forgot to make the two bare URLs linkified in the different Markdown dialect used on rustsec.org. (They link to directly relevant portions of code. Other hyperlinks are on text other than the URL itself, and thus already work.) This adds `<` `>` around each of them, which I think is sufficient to linkify them as intended in a RUSTSEC advisory.
Shnatsel
pushed a commit
that referenced
this pull request
Jan 18, 2025
In #2193, the body text for RUSTSEC-2025-0001 (CVE-2025-22620) is from GHSA-fqmf-w4xh-33rh, and I forgot to make the two bare URLs linkified in the different Markdown dialect used on rustsec.org. (They link to directly relevant portions of code. Other hyperlinks are on text other than the URL itself, and thus already work.) This adds `<` `>` around each of them, which I think is sufficient to linkify them as intended in a RUSTSEC advisory.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a notice for CVE-2025-22620 (GHSA-fqmf-w4xh-33rh) in
gix-worktree-state.When a global GHSA is published, I can open another PR to add a reference to that.
I wasn't sure what to do here for affected operating systems. Only Unix-like operating systems are affected, which seems like something that could be valuable to express in the advisory metadata. But if I understand correctly, no value like
"unix"is recognized foraffected.os. Currently, I have not specifiedaffected.osin the metadata. But would it be better to list all target operating systems that are Unix-like individually? (If so, I could use the technique in #1911 (comment), which still works, to produce the list.)cc @Byron