Advisory for CVE-2024-35197 (device names) in gix-ref, gix-index, gix-worktree #1997
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds notices for the Windows device name handling vulnerability CVE-2024-35197 (GHSA-49jc-r788-3fc9). This is a separate vulnerability from the one that #1996 is about—and I cannot open a single PR for both because they both have
RUSTSEC-0000-0000.md
files in two of the same locations until IDs are assigned—but it is likewise discussed in GitoxideLabs/gitoxide#1437 (cc @Byron).The advisory text (long description) is what I wrote for GHSA-49jc-r788-3fc9 and is essentially the same as in the global advisory. This is analogous to the situation in #1996, albeit for different advisories/vulnerabilities. Both there and here, it is and has always been my intention that this text be dedicated to the public domain (with CC0).
Some of the same considerations there apply here as well, such as the possible need to create multiple RUSTSEC advisories since multiple crates are affected in a way that is not fully independent. However, here there is another factor:
gix-ref
is affected in a very different way from the other crates.That is because this vulnerability has two clearly distinct aspects, or variants: the effect on references, which causes
gix-ref
to be a directly affected crate; and the effect on paths, which is wholly independent ofgix-ref
and which the advisory text describes behaviorally in terms ofgix-worktree-state
, but for which I consider the primary affected crates to begix-index
andgix-worktree
.This bifurcation may justify altering the RUSTSEC advisory text so that the different affected crates are described differently, with one long description for
gix-ref
that covers only the effect on references, and a separate long description forgix-index
andgix-worktree
that covers only the effect on paths. I am unsure if this is justified, but if so then I would be pleased to make that change. Unlike most advisory text changes, this would not require a corresponding change in the repo-local or global GHSA advisory text (since those notices would still need to combine the two aspects of the vulnerability into one description).I wasn't sure what, if anything, to put here for
categories
orkeywords
. Although I'd prefer to list a category if one is clearly correct, I'm not sure any properly applies for this or most CWE-67 vulnerabilities. (Few such vulnerabilities seem to have been reported in recent years; it looks like this one is the only one in GHSA.) A possible impact is denial of service, either by disrupting interaction with external devices, or by writing a large amount of text to a terminal. But I don't think DoS is the main concern for this vulnerability. For now I have not listed any categories.