Executive Summary

This vulnerability exists in Dulwich, a pure-Python implementation of Git file formats and protocols, specifically in versions from 0.24.0 up to but not including 1.2.5. The issue is in the function dulwich.porcelain.format_patch, which generates patch filenames based on the commit's subject line. Before the fix, the function only replaced spaces with dashes but allowed dangerous characters like path separators (/ and \), parent-directory components (..), and other filename-hostile characters (such as :) to remain. This allowed a malicious commit subject to manipulate the patch filename to point outside the intended output directory (outdir), potentially leading to files being written in unintended locations.

The vulnerability was fixed in Dulwich version 1.2.5 by sanitizing the commit subject more strictly, allowing only alphanumeric characters, dots, and underscores, collapsing runs of other characters to a single dash, and stripping trailing unsafe characters. This prevents the patch filename from escaping the designated directory.

Until upgrading, users can mitigate the risk by using the stdout=True option to write patches to a controlled destination, validating the resolved patch path to ensure it remains inside the output directory, or pre-screening commit subjects to reject unsafe characters.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker who controls commit subjects to cause patch files to be written outside the intended output directory. This could lead to overwriting or creating files in arbitrary locations on the filesystem where the process has write permissions.

Such unauthorized file writes could be used to overwrite important files, inject malicious code, or disrupt system operation, depending on the environment and permissions.

However, the CVSS score is relatively low (3.3), indicating that the attack requires local access with low privileges and user interaction, and it impacts integrity but not confidentiality or availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the dulwich.porcelain.format_patch function generating patch filenames derived from commit subject lines that may contain unsafe characters. Detection involves identifying usage of dulwich versions from 0.24.0 up to but not including 1.2.5 where this issue exists.

To detect if your system is vulnerable, check the installed dulwich version by running the following command in your environment:

• python -c "import dulwich; print(dulwich.__version__)"

If the version is between 0.24.0 and before 1.2.5, your system is potentially vulnerable.

Additionally, you can scan commit subjects in repositories processed by dulwich to identify any commit messages containing path separators or unsafe characters such as '/', '\', '..', or ':'. For example, using git commands to list commit subjects:

• git log --pretty=format:%s | grep -E '[/\\]|\.\.|:'

This helps identify commits that could exploit the vulnerability if processed by vulnerable dulwich versions.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade dulwich to version 1.2.5 or later, where the vulnerability is fixed.

Until upgrading, callers that pass untrusted commits to porcelain.format_patch should:

• Use the stdout=True option to write the patch to a controlled destination instead of letting format_patch choose the filename.
• Validate the chosen patch file path before opening it, for example by comparing os.path.realpath(returned_path) against os.path.realpath(outdir) and rejecting any patch whose resolved path is outside outdir.
• Pre-screen commits and refuse to format any whose subject's first line contains unsafe characters such as '/', '\', '..', or other characters not safe on the target filesystem.

Useful 0 Not Useful 0