GHSA-rrjw-j4m2-mf34: 
Rust vulnerability analysis and mitigation

The gix-transport crate, a component of the gitoxide project (a Git implementation in Rust), contains a vulnerability where it does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH, potentially leading to arbitrary code execution if a malicious clone URL is used by an application whose current working directory contains a malicious file. This vulnerability was discovered and patched in versions 0.35.0, 0.42.0, and 0.62.0 (GitHub Advisory).

The vulnerability is related to how SSH URLs are processed. When an address is a URL of the form ssh://username@hostname/path, or takes the special form username@hostname:dirs/repo, the username portion is not properly sanitized before being passed to the external SSH command. If the username begins with a hyphen, SSH treats that argument as an option argument and attempts to interpret it as a sequence of options. While characters like =, /, and \ are URL-encoded, an attacker can still craft malicious usernames that SSH will interpret as command options (GitHub Advisory, RustSec Advisory).

The vulnerability allows attackers to execute arbitrary code through SSH command options if they can control the clone URL and the target system's current working directory contains a malicious file. The attack complexity is considered greater than similar vulnerabilities due to the constraints on forming valid SSH option arguments and the difficulty in completing connections without triggering errors (GitHub Advisory).

The vulnerability has been patched in versions 0.35.0, 0.42.0, and 0.62.0. Users are advised to upgrade to one of these patched versions. The fix involves proper validation of the username portion of SSH URLs to prevent command injection through SSH options (GitHub Advisory).