CVE-2024-45405: 
Rust vulnerability analysis and mitigation

CVE-2024-45405 affects the gix-path crate of the gitoxide project (a Rust implementation of git) prior to version 0.10.11. The vulnerability involves improper path resolution when handling configuration files associated with git installations, particularly those containing unusual or non-ASCII characters. The issue was discovered and disclosed on September 6, 2024, affecting the path handling functionality in the gix_path::env component (GitHub Advisory).

The vulnerability occurs in the gixpath::env implementation of the installationconfig and installationconfigprefix functions. These functions call 'git config -l --show-origin' to locate git installation configuration files but fail to use the -z/--null option for literal path reporting. Instead, they attempt to parse quoted paths by simply stripping quotation marks, which can lead to incorrect path resolution when paths contain special characters. The issue has a CVSS v3.1 score of 6.0 (Medium) with vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N (GitHub Advisory).

When exploited, this vulnerability could enable a local attacker to inject malicious configuration leading to code execution. The impact is particularly significant in multi-user systems where users install git in predictable locations, or when paths contain non-ASCII characters. The vulnerability can result in the wrong configuration file being accessed, potentially leading to privilege escalation or unauthorized code execution (GitHub Advisory).

The vulnerability has been patched in gix-path version 0.10.11. The fix involves adding the -z/--null and --name-only options to the git command invocation, ensuring literal path reporting and more reliable parsing. Users should upgrade to version 0.10.11 or later to address this vulnerability (GitHub Commit).