You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This builds on #2193 by listing all Unix-like target operating
systems as affected (since a category of OSes like "unix" cannot
currently be represented in RUSTSEC advisory metadata).
The list was obtained by running the command given in:
#1911 (comment)
The vulnerability is specific to Unix-like operating systems
because:
- The vulnerable code runs only in the `unix` build configuration.
- 0777 permissions are meaningful on such systems and (due to
containing 0002) allow any user account on the system to write.
Therefore, if there are any Unix-like systems where Unix-style
filesystem permissions are not used, or that are *truly* single
user (i.e. do not use multiple user accounts, not even for running
daemons with limited privileges), then this vulnerability would not
affect such systems.
In addition, I have not attempted specifically to run the proof of
concept for the vulnerability on most of the listed operating
systems, nor examined whether `gix-worktree-state` might not be
usable on some of them for reasons unrealted to this vulnerability.
Conversely, if new target OSes are added in the future, and they
are Unix-like, then they would probably be vulnerable, even though
not listed here. (It may not be likely that anyone would be using
an affected version of `gix-worktree-state` by that time, though.)
0 commit comments