CVE-2024-4981: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Pagure server (CVE-2024-4981) that affects the updatefileingit() function. The vulnerability allows a malicious user to submit a git repository with symbolic links, potentially exposing content from outside the git repository. This security issue was discovered in May 2024 and affects multiple versions of Pagure server across different Linux distributions (CVE Details, Debian Tracker).

The vulnerability exists in the pagure/lib/git.py file, specifically in the updatefileingit() method which allows updating files on Pagure repositories directly from the web interface. The function clones the repository to a temporary folder, performs write operations, and pushes changes back to either the default branch or a new one. The vulnerability occurs because the code doesn't properly handle symbolic links - when filepath points to a symbolic link, open(filepath) follows it without proper validation, potentially allowing access to files outside the temporary clone folder. The issue was introduced in commit 54335c2 in release 0.1.11. The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L (Red Hat Bugzilla).

The vulnerability allows attackers to write controlled data to arbitrary paths on the system, provided the git system user has the appropriate permissions. In a demonstrated proof-of-concept, the vulnerability was exploited to gain arbitrary code execution on a staging server by overriding system files (Red Hat Bugzilla).

The vulnerability has been fixed in Pagure version 5.14.1 by implementing proper validation of file paths. The fix ensures that the updatefileingit() function checks if the file path is outside the temporary repository or inside the '.git/' folder before performing any operations. Updated packages have been released for affected distributions (Pagure Commit).