Amazon Linux 2023 Security Advisory: ALAS2023-2026-1871
Advisory Released Date: 2026-06-22
Advisory Updated Date: 2026-06-22
gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to. During checkout, all symlink index entries are deferred and created after regular files using a single shared gix_worktree::Stack. Internally, this uses a gix_fs::Stack. gix_fs::Stack::make_relative_path_current() caches validated path prefixes: when the previously-processed leaf component exactly matches the leading component(s) of the next path, the leaf-to-directory transition at gix-fs/src/stack.rs invokes only delegate.push_directory(), never delegate.push(). In gix_worktree::stack::delegate::StackDelegate, when the state member is State::CreateDirectoryAndAttributesStack, Attributes::push_directory() only loads attributes (from the ODB, in the clone case), and does not perform any other checks. The on-disk symlink_metadata() check and unlink-on-collision live in StackDelegate::push()'s invocation of create_leading_directory(), which is therefore bypassed for the cached prefix. The final symlink is created with plain std::os::unix::fs::symlink, which follows symlinks in parent directories. Therefore, it's possible to provide a tree with duplicate symlink and directory entries that exploits this. This vulnerability is fixed in 0.21.1. (CVE-2026-44471)
Affected Packages:
rust
Issue Correction:
Run dnf update rust --releasever 2023.12.20260622 or dnf update --advisory ALAS2023-2026-1871 --releasever 2023.12.20260622 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
aarch64:
rust-debuginfo-1.96.0-1.amzn2023.0.2.aarch64
rust-analyzer-debuginfo-1.96.0-1.amzn2023.0.2.aarch64
rustfmt-debuginfo-1.96.0-1.amzn2023.0.2.aarch64
clippy-debuginfo-1.96.0-1.amzn2023.0.2.aarch64
cargo-debuginfo-1.96.0-1.amzn2023.0.2.aarch64
rust-std-static-1.96.0-1.amzn2023.0.2.aarch64
clippy-1.96.0-1.amzn2023.0.2.aarch64
rust-1.96.0-1.amzn2023.0.2.aarch64
rust-analyzer-1.96.0-1.amzn2023.0.2.aarch64
rustfmt-1.96.0-1.amzn2023.0.2.aarch64
cargo-1.96.0-1.amzn2023.0.2.aarch64
rust-debugsource-1.96.0-1.amzn2023.0.2.aarch64
rust-doc-1.96.0-1.amzn2023.0.2.aarch64
noarch:
rust-gdb-1.96.0-1.amzn2023.0.2.noarch
rust-toolset-srpm-macros-1.96.0-1.amzn2023.0.2.noarch
rust-debugger-common-1.96.0-1.amzn2023.0.2.noarch
rust-toolset-1.96.0-1.amzn2023.0.2.noarch
rust-std-static-wasm32-wasip1-1.96.0-1.amzn2023.0.2.noarch
rust-std-static-wasm32-unknown-unknown-1.96.0-1.amzn2023.0.2.noarch
rust-lldb-1.96.0-1.amzn2023.0.2.noarch
rust-src-1.96.0-1.amzn2023.0.2.noarch
src:
rust-1.96.0-1.amzn2023.0.2.src
x86_64:
rust-debuginfo-1.96.0-1.amzn2023.0.2.x86_64
clippy-debuginfo-1.96.0-1.amzn2023.0.2.x86_64
rust-analyzer-debuginfo-1.96.0-1.amzn2023.0.2.x86_64
rustfmt-debuginfo-1.96.0-1.amzn2023.0.2.x86_64
rust-std-static-1.96.0-1.amzn2023.0.2.x86_64
rust-1.96.0-1.amzn2023.0.2.x86_64
cargo-debuginfo-1.96.0-1.amzn2023.0.2.x86_64
clippy-1.96.0-1.amzn2023.0.2.x86_64
rustfmt-1.96.0-1.amzn2023.0.2.x86_64
rust-analyzer-1.96.0-1.amzn2023.0.2.x86_64
cargo-1.96.0-1.amzn2023.0.2.x86_64
rust-debugsource-1.96.0-1.amzn2023.0.2.x86_64
rust-doc-1.96.0-1.amzn2023.0.2.x86_64