USN-5968-1: GitPython vulnerability
22 March 2023
GitPython could me made to execute arbitrary commands on the host.
- python-git - Python library to interact with Git repositories - Python 2.7
It was discovered that GitPython did not properly sanitize user inputs for
remote URLs in the clone command. By injecting a maliciously crafted
remote URL, an attacker could possibly use this issue to execute arbitrary
commands on the host.
The problem can be corrected by updating your system to the following package versions:
- python3-git - 3.1.24-1ubuntu0.1~esm1
- python3-git - 3.0.7-1ubuntu0.1~esm1
- python-git - 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1
- python3-git - 1.0.1+git137-gc8b8379-2.1ubuntu0.1~esm1
- python-git - 0.3.2~RC1-3ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.