An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1628 Final 1.0 1.0 2023-09-15 Initial 2023-09-15 2023-09-15 openEuler SA Tool V1.0 2023-09-15 python-GitPython security update An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. **GitPython*is a python library used to interact with Git repositories.GitPython provides object model read and write access to your git repository. Access repository information conveniently, alter the index directly, handle remotes, or go down to low-level object database access with big-files support.With the new object database abstraction added in 0.3, its even possible to implement your own storage mechanisms, the currently available implementations are 'cgit' and pure python, which is the default.Documentation The latest documentation can be found here: As this version of GitPython depends on GitDB, which in turn needs smmap to work, installation is a bit more involved if you do a manual installation, instead of using pip. Security Fix(es): GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.(CVE-2023-41040) An update for python-GitPython is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-GitPython https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1628 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-41040 https://nvd.nist.gov/vuln/detail/CVE-2023-41040 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 python3-GitPython-3.1.32-2.oe1.noarch.rpm python-GitPython-help-3.1.32-2.oe1.noarch.rpm python3-GitPython-3.1.32-2.oe1.noarch.rpm python-GitPython-help-3.1.32-2.oe1.noarch.rpm python-GitPython-help-3.1.32-2.oe2203.noarch.rpm python3-GitPython-3.1.32-2.oe2203.noarch.rpm python-GitPython-help-3.1.32-2.oe2203sp1.noarch.rpm python3-GitPython-3.1.32-2.oe2203sp1.noarch.rpm python-GitPython-help-3.1.32-2.oe2203sp2.noarch.rpm python3-GitPython-3.1.32-2.oe2203sp2.noarch.rpm python-GitPython-3.1.32-2.oe1.src.rpm python-GitPython-3.1.32-2.oe1.src.rpm python-GitPython-3.1.32-2.oe2203.src.rpm python-GitPython-3.1.32-2.oe2203sp1.src.rpm python-GitPython-3.1.32-2.oe2203sp2.src.rpm GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn t check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed. 2023-09-15 CVE-2023-41040 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L python-GitPython security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1628