powerline_gitstatus is vulnerable to arbitrary code execution. The vulnerability is due to the get_base_command
function in segments.py
with git repositories containing per-repository configurations that are being displayed when changing the directories which allows an attacker to inject and execute malicious codes in to the system.
github.com/advisories/GHSA-w67g-6gjv-c599
github.com/jaspernbrouwer/powerline-gitstatus/commit/da5ef3f65d9d7cc5f2b1df0aab8e4f0df1041783
github.com/jaspernbrouwer/powerline-gitstatus/commit/fe8e963b3489e4cceaa2c1f26f2bcc2ef405364c
github.com/jaspernbrouwer/powerline-gitstatus/issues/45
github.com/jaspernbrouwer/powerline-gitstatus/pull/46/
github.com/jaspernbrouwer/powerline-gitstatus/releases/tag/v1.3.2
lists.debian.org/debian-lts-announce/2023/01/msg00017.html