git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Narpat Mali <narpat.mali@windriver.com>
	Thu, 12 Jan 2023 14:58:37 +0000 (14:58 +0000)
committer	Steve Sakoman <steve@sakoman.com>
	Mon, 16 Jan 2023 14:41:29 +0000 (04:41 -1000)
commit	55f93e3786290dfa5ac72b5969bb2793f6a98bde
tree	cd0c0115958998fa66f4e5a1a1e28389c9a3667c	tree
parent	0974291e545aec68755dfb634c75dca37cca1ea9	commit \| diff

python3-git: fix for CVE-2022-24439

All versions of package gitpython are vulnerable to Remote Code Execution
(RCE) due to improper user input validation, which makes it possible to
inject a maliciously crafted remote URL into the clone command. Exploiting
this vulnerability is possible because the library makes external calls to
git without sufficient sanitization of input arguments.

CVE: CVE-2022-24439

Upstream-Status: Backport

Reference:
https://github.com/gitpython-developers/GitPython/discussions/1529
https://github.com/gitpython-developers/GitPython/pull/1518
https://github.com/gitpython-developers/GitPython/pull/1521

Signed-off-by: Narpat Mali <narpat.mali@windriver.com>

meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch	[new file with mode: 0644]	blob
meta/recipes-devtools/python/python3-git_3.1.27.bb		diff \| blob \| blame \| history