Advisory for CVE-2024-35186 (traversal) in gix-fs, gix-index, gix-worktree

[EliahKagan]

This adds notices for the directory traversal vulnerability CVE-2024-35186 (GHSA-7w47-3wg8-547c), as discussed in GitoxideLabs/gitoxide#1437 (cc @Byron). The gitoxide project is divided into a substantial number of crates, and multiple crates are affected, in the sense of containing code that needed to be changed to fix the vulnerability.

This PR proposes notices for only three of the seven crates listed as affected in GHSA-7w47-3wg8-547c. I believe these to be the primary affected crates, such that the other crates are mainly affected due to their use of the primary affected crates (though their code also had to be changed to fit the new API). This is in accordance with my interpretation of the guidance given in #1703 (comment) and #1705 (comment), but I am not certain my extrapolation of that guidance correctly applies it to this situation.

The advisory text--that is, the long description--is the same as the final published version of the text that I wrote as the advisory when reporting the vulnerability. This is to say that it is the same as the text at GHSA-7w47-3wg8-547c, and aside from small differences in the title and references is also the same as the text in the global GHSA advisory.

Specifically in connection with having multiple RUSTSEC notices on multiple crates for this vulnerability, I worry that the advisory text may be confusing, because it does not explicitly name one of the directly affected crates (gix-index), and because when describing behavior it does name a crate that I believe does not need to have a notice added to it (gix-worktree-state). If necessary, I could edit the advisory text--in which case I would probably also make the edits on the repo-level and global GHSA advisories, to avoid creating the false impression that the vulnerabilities are distinct. Although I'm bringing up this possible area of confusion so it can be considered, it seems to me that there might not be any need for a change to the description.

In the TOML headers, I did not include a list of related vulnerabilities. It seems to me that there might be vulnerabilities that should be listed as related, though maybe they could be edited in later. Assuming multiple RUSTSEC notices are added due to more than one crate being affected, maybe they should reference each other. But since their RUSTSEC IDs haven't been assigned, I can't cross-link them now. Also, several fixed Git vulnerabilities, mostly via their repository-local GHSA advisories, are closely conceptually related to aspects of this vulnerability, and linked from the advisory text. Maybe they should be listed as related.

Edit: The other vulnerability discussed in GitoxideLabs/gitoxide#1437 has its notices proposed in #1997.

[tarcieri]

Let's try it with this wording and revise if it confuses people