Safety vulnerability ID: 63687
The information on this page was manually curated by our Cybersecurity Intelligence Team.
GitPython 3.1.41 fixes a vulnerability (CVE-2024-22190) involving an untrusted search path issue on Windows, which could allow execution of malicious git.exe or bash.exe from untrusted repositories. This update addresses the incomplete fix from CVE-2023-40590.
#It only affects Windows users
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx
Latest version: 3.1.43
GitPython is a Python library used to interact with Git repositories
The details about the Windows security issue [can be found in this advisory](https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx).
Special thanks go to EliahKagan who reported the issue and fixed it in a single stroke, while being responsible for an incredible amount of improvements that he contributed over the last couple of months ❤️.
What's Changed
* Add `__all__` in git.exc by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1719
* Set submodule update cadence to weekly by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1721
* Never modify sys.path by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1720
* Bump git/ext/gitdb from `8ec2390` to `ec58b7e` by dependabot in https://github.com/gitpython-developers/GitPython/pull/1722
* Revise comments, docstrings, some messages, and a bit of code by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1725
* Use zero-argument super() by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1726
* Remove obsolete note in _iter_packed_refs by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1727
* Reorganize test_util and make xfail marks precise by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1729
* Clarify license and make module top comments more consistent by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1730
* Deprecate compat.is_<platform>, rewriting all uses by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1732
* Revise and restore some module docstrings by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1735
* Make the rmtree callback Windows-only by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1739
* List all non-passing tests in test summaries by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1740
* Document some minor subtleties in test_util.py by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1749
* Always read metadata files as UTF-8 in setup.py by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1748
* Test native Windows on CI by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1745
* Test macOS on CI by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1752
* Let close_fds be True on all platforms by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1753
* Fix IndexFile.from_tree on Windows by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1751
* Remove unused TASKKILL fallback in AutoInterrupt by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1754
* Don't return with operand when conceptually void by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1755
* Group .gitignore entries by purpose by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1758
* Adding dubious ownership handling by marioaag in https://github.com/gitpython-developers/GitPython/pull/1746
* Avoid brittle assumptions about preexisting temporary files in tests by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1759
* Overhaul noqa directives by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1760
* Clarify some Git.execute kill_after_timeout limitations by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1761
* Bump actions/setup-python from 4 to 5 by dependabot in https://github.com/gitpython-developers/GitPython/pull/1763
* Don't install black on Cygwin by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1766
* Extract all "import gc" to module level by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1765
* Extract remaining local "import gc" to module level by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1768
* Replace xfail with gc.collect in TestSubmodule.test_rename by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1767
* Enable CodeQL by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1769
* Replace some uses of the deprecated mktemp function by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1770
* Bump github/codeql-action from 2 to 3 by dependabot in https://github.com/gitpython-developers/GitPython/pull/1773
* Run some Windows environment variable tests only on Windows by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1774
* Fix TemporaryFileSwap regression where file_path could not be Path by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1776
* Improve hooks tests by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1777
* Fix if items of Index is of type PathLike by stegm in https://github.com/gitpython-developers/GitPython/pull/1778
* Better document IterableObj.iter_items and improve some subclasses by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1780
* Revert "Don't install black on Cygwin" by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1783
* Add missing pip in $PATH on Cygwin CI by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1784
* Shorten Iterable docstrings and put IterableObj first by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1785
* Fix incompletely revised Iterable/IterableObj docstrings by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1786
* Pre-deprecate setting Git.USE_SHELL by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1782
* Deprecate Git.USE_SHELL by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1787
* In handle_process_output don't forward finalizer result by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1788
* Fix mypy warning "Missing return statement" by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1789
* Fix two remaining Windows untrusted search path cases by EliahKagan in https://github.com/gitpython-developers/GitPython/pull/1792
New Contributors
* marioaag made their first contribution in https://github.com/gitpython-developers/GitPython/pull/1746
* stegm made their first contribution in https://github.com/gitpython-developers/GitPython/pull/1778
**Full Changelog**: https://github.com/gitpython-developers/GitPython/compare/3.1.40...3.1.41
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application