Fedora has issued an advisory on May 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q2V3HOFU4ZVTQZHAVAVL3EX2KU53SP7R/ The issue is fixed upstream in 1.11.0.
There are a lot of changes between our version and 1.11.0, I'll add the fix only https://github.com/ruby-git/ruby-git/pull/569/commits/e36039105c86f1b0512d707054f615812919
ruby-git-1.6.0-1.1.mga8 currently building Before: $ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE/tmp/VULNERABLE After: $ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE ls: cannot access '/tmp/VULNERABLE': No such file or directory
ruby-git-1.6.0-1.1.mga8 ruby-git-doc-1.6.0-1.1.mga8 from ruby-git-1.6.0-1.1.mga8.src.rpm
Assignee: pterjan => qa-bugsCC: (none) => pterjanKeywords: (none) => has_procedure
Installed ruby-git. Before update: $ mkdir /tmp/VULNERABLE /tmp/project $ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE /tmp/VULNERABLE After update: $ rm -rf /tmp/VULNERABLE /tmp/project; ruby -rgit -e 'g = Git.init("/tmp/project"); g.fetch("--upload-pack=touch /tmp/VULNERABLE;", { ref: "some/ref/head" });' >/dev/null 2>&1; ls /tmp/VULNERABLE ls: cannot access '/tmp/VULNERABLE': No such file or directory $ ri git shows general usage for the initiated. Examples at https://github.com/ruby-git/ruby-git Did not get very far with those - completely unfamiliar territory. $ irb irb(main):001:0> require 'git' /usr/share/gems/gems/git-1.6.0/lib/git/lib.rb:1056: warning: Using the last argument as keyword parameters is deprecated => true irb(main):002:0> g = Git.open( '/tmp/project' ) => #<Git::Base:0x000000000160d5a0 @logger=nil, @working_directory=#<Git::Wo... irb(main):003:0> g.index => #<Git::Index:0x00000000011e5f40 @path="/tmp/project/.git/index"> irb(main):004:0> g.index.readable? => false irb(main):005:0> g.index.writable? => false irb(main):006:0> g.repo => #<Git::Repository:0x00000000011e6030 @path="/tmp/project/.git"> irb(main):007:0> g.dir => #<Git::WorkingDirectory:0x00000000011e6170 @path="/tmp/project"> irb(main):008:0> exit Have to leave it there and give it an OK on the basis of the successful PoC and the fact that it is possible to initiate a local Git project.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0248.html
Status: NEW => RESOLVEDResolution: (none) => FIXED