This adds notices for the Windows device name handling vulnerability CVE-2024-35197 (https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9). This is a separate vulnerability from the one that # is about—and I cannot open a single PR for both because they both have RUSTSEC-0000-0000.md files in two of the same locations until IDs are assigned—but it is likewise discussed in Byron/gitoxide#1437 (cc @Byron).
The advisory text (long description) is what I wrote for https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9 and is essentially the same as in the global advisory. This is analogous to the situation in #, albeit for different advisories/vulnerabilities. Both there and here, it is and has always been my intention that this text be dedicated to the public domain (with CC0).
Some of the same considerations there apply here as well, such as the possible need to create multiple RUSTSEC advisories since multiple crates are affected in a way that is not fully independent. However, here there is another factor: gix-ref is affected in a very different way from the other crates.
That is because this vulnerability has two clearly distinct aspects, or variants: the effect on references, which causes gix-ref to be a directly affected crate; and the effect on paths, which is wholly independent of gix-ref and which the advisory text describes behaviorally in terms of gix-worktree-state, but for which I consider the primary affected crates to be gix-index and gix-worktree.
This bifurcation may justify altering the RUSTSEC advisory text so that the different affected crates are described differently, with one long description for gix-ref that covers only the effect on references, and a separate long description for gix-index and gix-worktree that covers only the effect on paths. I am unsure if this is justified, but if so then I would be pleased to make that change. Unlike most advisory text changes, this would not require a corresponding change in the repo-local or global GHSA advisory text (since those notices would still need to combine the two aspects of the vulnerability into one description).
I wasn't sure what, if anything, to put here for categories or keywords. Although I'd prefer to list a category if one is clearly correct, I'm not sure any properly applies for this or most CWE-67 vulnerabilities. (Few such vulnerabilities seem to have been reported in recent years; it looks like this one is the only one in GHSA.) A possible impact is denial of service, either by disrupting interaction with external devices, or by writing a large amount of text to a terminal. But I don't think DoS is the main concern for this vulnerability. For now I have not listed any categories.