CVE-2023-41040: Blind local file inclusion

[EliahKagan]

This issue is for tracking the public vulnerability CVE-2023-41040:

In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system.

Further details, including example code, are in CVE-2023-41040.

(I'm opening this issue based on the idea in #1635 (comment) that it's useful to have issues for these. This CVE has been mentioned in #1635, but if #1636 is merged then #1635 may be closed. #1636 fixes CVE-2023-40590 but does not also fix CVE-2023-41040.)

[stsewd]

I went ahead and updated the versions in the local advisories. The global advisories, one is being updated at github/advisory-database#2695, for the other one I can suggest an update at github/advisory-database#2690.

[facutuesca]

@EliahKagan I created a PR with a possible fix for the issue

[plannigan]

It looks like the GitHub advisory was updated with the patched version information. However, the repository advisory does not show the patched version information (not sure why there is a difference).

[stsewd]

Updated 👍

There are two types of advisories, local and global, GitHub updates the global ones, and maintainers (and looks like reporters too) can update the local ones.