This project might be open to known security vulnerabilities, which can be prevented by tightening the version range of affected dependencies. Find detailed information at the bottom.

Crate gix-protocol

Dependencies

(14 total, 5 outdated, 1 possibly insecure)

CrateRequiredLatestStatus
 async-trait^0.1.510.1.79up to date
 bstr^1.3.01.9.1up to date
 btoi^0.4.20.4.3up to date
 document-features^0.2.00.2.8up to date
 futures-io^0.3.160.3.30up to date
 futures-lite^1.12.02.3.0out of date
 gix-credentials^0.14.00.24.2out of date
 gix-features^0.29.00.38.1out of date
 gix-hash^0.11.10.14.2out of date
 gix-transport ⚠️^0.31.00.41.2out of date
 maybe-async^0.2.60.2.10up to date
 nom^77.1.3up to date
 serde^1.0.1141.0.197up to date
 thiserror^1.0.321.0.58up to date

Dev dependencies

(2 total, 1 outdated)

CrateRequiredLatestStatus
 async-std^1.9.01.12.0up to date
 gix-packetline^0.16.00.17.5out of date

Security Vulnerabilities

gix-transport: gix-transport code execution vulnerability

RUSTSEC-2023-0064

The gix-transport crate prior to the patched version 0.36.1 would allow attackers to use malicious ssh clone URLs to pass arbitrary arguments to the ssh program, leading to arbitrary code execution.

PoC: gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'

This will launch a calculator on OSX.

See https://secure.phabricator.com/T12961 for more details on similar vulnerabilities in git.

Thanks for vin01 for disclosing the issue.