Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200415185944.GA18943@openwall.com>
Date: Wed, 15 Apr 2020 20:59:44 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server

Hi,

Taylor Blau brought this to the distros list a week ago (thanks!), but
unfortunately failed to follow the distros list policy (despite of being
specifically informed of that requirement by distros list members,
twice) to post the information to oss-security on the public disclosure
date/time.  So as list admin, after a delay of more than a day, I am
taking over and do this (being unhappy that I have to do it for others).

Quoting Taylor's original notification to distros:

---
The addressed issue is:

 * CVE-2020-5260:
   With a crafted URL that contains a newline in it, the credential
   helper machinery can be fooled to give credential information for a
   wrong host.  The attack has been made impossible by forbidding a
   newline character in any value passed via the credential protocol.

Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.
---

I've attached Taylor's original message (sans its large attachment) to
this posting.

Git security releases were made and a security advisory published
yesterday:

https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q

I've also attached a text export from the above URL to this posting.

(We also have a policy in here that most essential content must be
included in the posting itself rather than only linked to, so that the
posting remains valuable even when the external resources are gone.)

Alexander

View attachment "distros-ttaylorr-20200407.txt" of type "text/plain" (1487 bytes)

View attachment "GHSA-qm7j-c969-7j4q.txt" of type "text/plain" (3119 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.