Add notice to gix-transport crate (#1789)

* Add vulnerability for gix-transport crate Reproducer with `gix` (CLI) v0.29 * `gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'` - This will launch a calculator on OSX. Fixed in `gix` (CLI) v0.30. See https://secure.phabricator.com/T12961 for more details. This issue was discovered by @vin01 whom I thank for their diligence! * Add credits to researcher who found the issue: vin01 https://github.com/vin01
2025-12-28 15:28:09 +01:00 · 2023-09-25 14:03:35 +02:00
parent 81594d9fd5
commit 851e5c9638
1 changed files with 25 additions and 0 deletions
--- a/crates/gix-transport/RUSTSEC-0000-0000.md
+++ b/crates/gix-transport/RUSTSEC-0000-0000.md
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "gix-transport"
+date = "2023-09-23"
+url = "https://github.com/Byron/gitoxide/pull/1032"
+references = ["https://secure.phabricator.com/T12961"]
+categories = ["code-execution"]
+[versions]
+patched = [">= 0.36.1"]
+```
+
+# gix-transport code execution vulnerability
+
+The `gix-transport` crate prior to the patched version 0.36.1 would allow attackers to
+use malicious ssh clone URLs to pass arbitrary arguments to the `ssh` program, leading
+to arbitrary code execution.
+
+PoC: `gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'`
+
+This will launch a calculator on OSX.
+
+See https://secure.phabricator.com/T12961 for more details on similar vulnerabilities in `git`.
+
+Thanks for [vin01](https://github.com/vin01) for disclosing the issue.