CVE-2023-40267

NameCVE-2023-40267
DescriptionGitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3502-1, DLA-3939-1
Debian Bugs1043503

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-git (PTS)bullseye3.1.14-1vulnerable
bullseye (security)3.1.14-1+deb11u1fixed
bookworm3.1.30-1+deb12u2fixed
sid, trixie3.1.37-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-gitsourcebuster2.1.11-1+deb10u1DLA-3502-1
python-gitsourcebullseye3.1.14-1+deb11u1DLA-3939-1
python-gitsourcebookworm3.1.30-1+deb12u2
python-gitsource(unstable)3.1.36-11043503

Notes

https://github.com/gitpython-developers/GitPython/pull/1609
https://github.com/gitpython-developers/GitPython/commit/5c59e0d63da6180db8a0b349f0ad36fef42aceed (3.1.32)
Search for package or bug name: Reporting problems