Все бюллетени/sisyphus/ALT-PU-2026-7407-2
ALT-PU-2026-7407-2

Обновление пакета python3-module-GitPython в ветке sisyphus

Версия3.1.50-alt1
Задание#417343
Опубликовано2026-05-13
Макс. серьёзностьHIGH
Серьёзность:

Закрытые проблемы (4)

CVE-2026-44243
HIGH7.8

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.

Опубликовано: 2026-05-07Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 7.1
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.8
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ссылки
CVE-2026-44244
HIGH7.8

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

Опубликовано: 2026-05-07Изменено: 2026-06-17
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки
GHSA-7545-fcxq-7j24
HIGH7.8

GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

Опубликовано: 2026-05-06Изменено: 2026-05-08
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS 4.0ВЫСОКАЯ 7.8
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Ссылки
GHSA-v87r-6q3f-2j67
HIGH7.8

GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

Опубликовано: 2026-05-06Изменено: 2026-05-08
CVSS 3.xВЫСОКАЯ 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки