Gitoxide gix-worktree-state World-Writable File Permission Vulnerability

A vulnerability in Gitoxide's gix-worktree-state component, prior to version 0.17.0, allows executable files to be checked out with world-writable permissions. This issue arises because one of the methods used to set file permissions does not respect the umask, leading to insecure permissions in certain scenarios. The vulnerability is present on Unix-like systems, where it can expose files to unauthorized access and modification.

Impact

The vulnerability allows files to be created or modified with unrestricted permissions, posing a risk of unauthorized access and changes, particularly on multi-user systems or when running applications with limited privileges.

Reproduction

The vulnerability can be reproduced by creating a new Git repository and adding an executable file. After staging the file, the 'gix-worktree-state' checkout process is initiated, which incorrectly applies 0777 permissions to the executable file. This can be verified by checking the file permissions after the checkout, which will show the world-writable permissions on the executable file.

Remediation

Users should update to Gitoxide gix-worktree-state version 0.17.0 or later, where this vulnerability has been fixed.