[GHSA-2mqj-m65w-jghx] Untrusted search path under some conditions on Windows allows arbitrary code execution #3290
Conversation
|
Hi there @EliahKagan and @Byron! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our highly-trained Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
EliahKagan/advisory-improvement-3290
advisory-database
bot
merged commit dc52963
into
EliahKagan/advisory-improvement-3290
|
Hi @EliahKagan! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
Hi @EliahKagan, I incorporated the changes into the global advisory. Let me know if everything looks OK on your end. 👍 |
|
@shelbyc Thanks! It looks like literal backslashes have appeared in front of double quote characters in one of the code blocks: cd testrepo
python -c \"import git; print(git.Git().version(shell=True))\"Besides that, everything looks good from applying the change. I did not knowingly insert such backslashes, and I wonder if they arose as a result of a bug in the https://github.com/advisories/GHSA-2mqj-m65w-jghx/improve interface, since they do not appear in the preview there. But they do appear on the actual advisory page GHSA-2mqj-m65w-jghx. But I don't see anything wrong with the diff shown here, so maybe the problem is instead in how the change from the pull request is subsequently applied to the advisory in the database. I do see a sign of the problem in https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-2mqj-m65w-jghx/GHSA-2mqj-m65w-jghx.json, where those specific double quotes, and no others, appear in the JSON code as I've never manually opened a pull request on this github-advisories repository, but if that's the appropriate way to fix this then I'd be pleased to do so. But I'm not sure if that would work, or if it would be the best approach. This is a pretty minor issue--most readers will infer what is intended in that code block--but I think it may be worth fixing, if it's not too time-consuming to do so. If there's anything I should do, please let me know. Thanks again for reviewing this pull request! |
|
@EliahKagan Thanks for pointing out the improper |
|
Thanks--it looks great! |
Updates
Comments
This fixes some confusing and slightly inaccurate wording that I had missed when first writing this. This edit does not attempt to change the meaning of anything in the advisory; it is only to make a few parts of the advisory clearer and easier to read. I have made this change already in the repository-local version of the advisory at GHSA-2mqj-m65w-jghx. See also gitpython-developers/GitPython#1792 (comment).
The automatically generated portion of this pull request description lists "Affected products" as having been updated, but I am not sure why that is the case. It is only the wording of the advisory that I intend to make modifications to here. However, the diff appears correct and seems only to change what I intend.