https://bugzilla.suse.com/show_bug.cgi?id=1225024 Bug ID: 1225024 Summary: VUL-0: CVE-2024-35197: gitoxide: refs and paths with reserved Windows device names access the devices Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: camila.matos@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances. References: https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35197 -- You are receiving this mail because: You are on the CC list for the bug.