CVE-2023-41040: Blind local file inclusion

[EliahKagan]

This issue is for tracking the public vulnerability CVE-2023-41040:

In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system.

Further details, including example code, are in CVE-2023-41040.

(I'm opening this issue based on the idea in #1635 (comment) that it's useful to have issues for these. This CVE has been mentioned in #1635, but if #1636 is merged then #1635 may be closed. #1636 fixes CVE-2023-40590 but does not also fix CVE-2023-41040.)

[EliahKagan]

I've noticed that this vulnerability is being incorrectly shown as not affecting projects that use GitPython 3.1.33, because the advisory GHSA-cwvm-v4w8-q58c (CVE-2023-41040) specifies the affected versions as <=3.1.32.

In particular, Dependabot considers this resolved in projects that use 3.1.33, and no longer lists the advisory as affecting such projects. I expect that all other automated tools that inspect version metadata from the advisory do this as well. This creates the false impression that 3.1.33 fixes both CVE-2023-40590 and CVE-2023-41040, when really it only fixes CVE-2023-40590.

I recommend editing the version range in the CVE-2023-41040 advisory to include 3.1.33, either by updating it to <=3.1.33 or by making it open-ended.

Relatedly, I think it might also be helpful to edit the other advisory CVE-2023-40590 to list >=3.1.33 as patched versions, since it currently says "None" for that. I think this would make that advisory clearer, and that it may be needed in order for Dependabot to generate security updates.

[stsewd]

I went ahead and updated the versions in the local advisories. The global advisories, one is being updated at github/advisory-database#2695, for the other one I can suggest an update at github/advisory-database#2690.

[facutuesca]

@EliahKagan I created a PR with a possible fix for the issue

[plannigan]

It looks like the GitHub advisory was updated with the patched version information. However, the repository advisory does not show the patched version information (not sure why there is a difference).

[stsewd]

Updated 👍

There are two types of advisories, local and global, GitHub updates the global ones, and maintainers (and looks like reporters too) can update the local ones.