A vulnerability has been discovered in GitPython where crafted input to Repo.clone_from can lead to code execution
|Package||dev-python/GitPython on all architectures|
|Affected versions||< 3.1.30|
|Unaffected versions||>= 3.1.30|
GitPython is a Python library used to interact with Git repositories.
Please review the CVE identifier referenced below for details.
An attacker may be able to trigger Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
There is no known workaround at this time.
All GitPython users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-python/GitPython-3.1.30"
November 01, 2023
November 01, 2023: 1