[GHSA-rrjw-j4m2-mf34] gix-transport code execution vulnerability

[EliahKagan]

Updates

• Affected products
• CWEs
• Description

Comments
This proposes two changes, with separate rationales, that I think are best made together:

• While working on the newer advisory GHSA-98p4-xjmm-8mfh for a related vulnerability, and when updating its CWEs (#4316), I noticed that this prior advisory did not list any CWEs, and that the original reporter vin01 had attempted to add CWE-88, which I believe is a correct and applicable CWE here. That attempt was part of #3253, and I am unsure why that was closed without merging, but it may have been related to a separate URL change proposed there, which I have not included here.
• The upstream advisory RUSTSEC-2023-0064 for this credits the original reporter, who does not appear to be credited anywhere in this advisory, including in its metadata. Based on #11, this omission appears to have been an artifact of how the advisory ended up in the database, rather than being the reporter's preference. If the reporter can be credited as such in the advisory's metadata (or, if that is not possible, then even perhaps with another role such as analyst?), I think that might be preferable to including the credit line from the RUSTSEC advisory. Otherwise, I think harmonizing this with the RUSTSEC advisory by adding the credit line may be justified. One outcome I am hoping to avoid is being listed as an analyst here with the original reporter not credited here at all, since that could cause readers to come to the false conclusion that I had discovered or reported this particular vulnerability.

CC: @vin01 (original reporter), @Byron (project maintainer)

[Byron]

Thanks for following up on this!

[CallmeMari]

Hi @EliahKagan and @Byron I appreciate the collaboration. I see that @EliahKagan has been given reporter credit via the repo GHSA, in order to also give @vin01 the report credit, @Byron needs to give them credit in the repo GHSA.

[EliahKagan]

@CallmeMari Thanks for the looking into this, and for the quick reply! It looks like there may be some confusion, as there are two related vulnerabilities, and I really am the reporter of the newer one that I have credit on from its repo GHSA, just not the older related one from September 2023, which has no repo GHSA.

Specifically, I did discover and report the more recently reported "via malicious username" vulnerability, GHSA-98p4-xjmm-8mfh, which has this repository-local advisory, as well as having RUSTSEC-2024-0335, and which was fixed in GitoxideLabs/gitoxide#1342. So that I am credited as the reporter there is correct, and I don't think that should be changed.

It is instead the older reported vulnerability GHSA-rrjw-j4m2-mf34 that @vin01 discovered and reported in September 2023. This has the separate older RUSTSEC-2023-0064 (see also GitoxideLabs/gitoxide#1032). That is the vulnerability whose entry in the database I am attempting to update in this pull request, to add a CWE number and to credit @vin01. As far as I am able to see, that vulnerability does not have a repository-local advisory. It looks like maybe that vulnerability was imported from RUSTSEC. Some history behind it, and its credit situation, is available at #11 (comment).

[advisory-database]

Hi @EliahKagan! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[EliahKagan]

Thanks, in hindsight my concern about obscuring the reporter was mostly misguided. I'm glad this was merged, and even with me credited as an analyst and nobody else being credited in the metadata, the identity of the actual reporter remains clear due to its prominence in the advisory text itself.

Nonetheless, in case it is possible to even further improve the situation, I've opened #4620 to ask if it's possible to make a repo GHSA corresponding to an existing global one.