Intel

AIKIDO-2026-813214

dulwich is vulnerable to Improper Link Resolution Before File Access

Improper Link Resolution Before File AccessGHSA-8w8g-wq8h-fq33 Published 2 days ago

86

High Risk

This Affects:

PYTHONdulwich
0.24.0 - 1.2.7
Fixed in 1.2.8
Are you affected? Scan for Free

TL;DR

Dulwich's path-restricted porcelain.checkout(paths=...) writes files with a raw os.open(file_path, O_WRONLY|O_CREAT|O_TRUNC, mode) call that bypasses build_file_from_blob and follows symlinks at both the target file and intermediate directories. A crafted repository can leave a symlink at a checkout target so that restoring a specific path writes attacker-controlled content, with attacker-controlled mode bits, outside the work tree such as into .git/hooks. Planting an executable hook this way leads to remote code execution on the next checkout. The fix routes these writes through build_file_from_blob, which replaces an existing symlink with a fresh regular file instead of writing through it.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use path-restricted porcelain.checkout(paths=...) on repositories from an untrusted source.

Background info

dulwich is vulnerable to Improper Link Resolution Before File Access in versions 0.24.0 - 1.2.7.

How to fix this

Upgrade the dulwich library to the patch version.