Advisories for Cargo/Gix-Transport package

The curl-based HTTP transport in gix-transport sends user credentials (passwords, tokens) to an attacker-controlled server after an HTTP redirect. When a server responds with a 302 redirect during the initial GET /info/refs, gitoxide records the redirected base URL and rewrites all subsequent requests to point at the redirected host. The Authorization header is still attached because add_basic_auth_if_present() only checks self.url (the original, never-updated URL). The reqwest backend is not affected. …

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rrjw-j4m2-mf34. This link is maintained to preserve external references. Original Description The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit.

gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.

The gix-transport crate prior to the patched version 0.36.1 would allow attackers to use malicious ssh clone URLs to pass arbitrary arguments to the ssh program, leading to arbitrary code execution. PoC: gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo' This will launch a calculator on OSX. See https://secure.phabricator.com/T12961 for more details on similar vulnerabilities in git. Thanks for vin01 for disclosing this issue.

This advisory duplicates another.