OESA-2023-1628

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1628

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2023-1628.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2023-1628

Upstream

CVE-2023-41040

Published

2023-09-15T11:05:54Z

Modified

2025-08-12T05:22:11.852024Z

Summary

python-GitPython security update

Details

*GitPythonis a python library used to interact with Git repositories.GitPython provides object model read and write access to your git repository. Access repository information conveniently, alter the index directly, handle remotes, or go down to low-level object database access with big-files support.With the new object database abstraction added in 0.3, its even possible to implement your own storage mechanisms, the currently available implementations are 'cgit' and pure python, which is the default.Documentation The latest documentation can be found here: As this version of GitPython depends on GitDB, which in turn needs smmap to work, installation is a bit more involved if you do a manual installation, instead of using pip.

Security Fix(es):

GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.(CVE-2023-41040)

Database specific

{
    "severity": "Medium"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-2.oe1

Ecosystem specific

{
    "noarch": [
        "python3-GitPython-3.1.32-2.oe1.noarch.rpm",
        "python-GitPython-help-3.1.32-2.oe1.noarch.rpm"
    ],
    "src": [
        "python-GitPython-3.1.32-2.oe1.src.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-2.oe1

Ecosystem specific

{
    "noarch": [
        "python3-GitPython-3.1.32-2.oe1.noarch.rpm",
        "python-GitPython-help-3.1.32-2.oe1.noarch.rpm"
    ],
    "src": [
        "python-GitPython-3.1.32-2.oe1.src.rpm"
    ]
}

openEuler:22.03-LTS / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-22.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-2.oe2203sp2

Ecosystem specific

{
    "noarch": [
        "python-GitPython-help-3.1.32-2.oe2203.noarch.rpm",
        "python3-GitPython-3.1.32-2.oe2203.noarch.rpm",
        "python-GitPython-help-3.1.32-2.oe2203sp1.noarch.rpm",
        "python3-GitPython-3.1.32-2.oe2203sp1.noarch.rpm",
        "python-GitPython-help-3.1.32-2.oe2203sp2.noarch.rpm",
        "python3-GitPython-3.1.32-2.oe2203sp2.noarch.rpm"
    ],
    "src": [
        "python-GitPython-3.1.32-2.oe2203.src.rpm",
        "python-GitPython-3.1.32-2.oe2203sp1.src.rpm",
        "python-GitPython-3.1.32-2.oe2203sp2.src.rpm"
    ]
}

openEuler:22.03-LTS-SP1 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-2.oe2203sp1

Ecosystem specific

{
    "noarch": [
        "python-GitPython-help-3.1.32-2.oe2203sp1.noarch.rpm",
        "python3-GitPython-3.1.32-2.oe2203sp1.noarch.rpm"
    ],
    "src": [
        "python-GitPython-3.1.32-2.oe2203sp1.src.rpm"
    ]
}

openEuler:22.03-LTS-SP2 / python-GitPython

Package

Name: python-GitPython
Purl: pkg:rpm/openEuler/python-GitPython&distro=openEuler-22.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.32-2.oe2203sp2

Ecosystem specific

{
    "noarch": [
        "python-GitPython-help-3.1.32-2.oe2203sp2.noarch.rpm",
        "python3-GitPython-3.1.32-2.oe2203sp2.noarch.rpm"
    ],
    "src": [
        "python-GitPython-3.1.32-2.oe2203sp2.src.rpm"
    ]
}