gitoxide is a pure Rust implementation of Git, designed to be fast, efficient, and secure. However, a recently discovered vulnerability (CVE-2024-35197) affects gitoxide running on Windows systems. Specifically, this vulnerability allows fetching refs that clash with legacy device names, causing them to read from devices and create the potential for unintended consequences. Furthermore, checking out paths that clash with these names can result in writing arbitrary data to the devices. This can lead to indefinite blocking of the application, the production of arbitrary messages appearing to come from the application, and potentially other harmful effects under limited circumstances.

The Impact

The impact of this vulnerability is primarily on Windows users who clone or otherwise interact with untrusted repositories. These users may potentially experience availability degradation, though this is likely a minor issue in most cases. For instance, a very large file named CON might cause a minor degradation in availability, but the user can usually interrupt the application to resolve the issue. If you are not using Windows or do not interact with untrusted repositories, there is no significant impact from this vulnerability.

The following code snippet demonstrates the issue with the clash of legacy device names

fn main() {
    use git_repository as git;
    use gitoxide_core as core;

    let url = "https://github.com/user/legacy-device-name-repo.git";;
    let repo = git::clone(url, "target_directory").expect("Repository not found");

    match core::fetch::fetch_refs_with_clashing_device_names(&repo) {
        Ok(()) => println!("Successfully fetched refs"),
        Err(_) => println!("Failed to fetch refs due to clashing device names"),
    }
}

Original References and Exploit Details

For more information about this vulnerability and its details, please refer to the following resources:

- CVE-2024-35197 on NIST NVD
- Gitoxide Project Repository on GitHub
- Gitoxide: A Pure Rust Implementation of Git
- Windows Legacy Device Names

Conclusion

While CVE-2024-35197 presents a vulnerability in the gitoxide Rust implementation of Git on Windows, its impact is limited to those who interact with untrusted repositories or use the application in a manner that could lead to clashing with legacy device names. If you avoid such interactions or do not use Windows, this vulnerability is unlikely to have any significant impact on you. However, it is crucial to stay informed about software updates for gitoxide and keep your system patched to mitigate the risks posed by vulnerabilities like this one.

Timeline

Published on: 05/23/2024 13:15:09 UTC
Last modified on: 06/04/2024 17:34:47 UTC