|
Message-ID: <20150321092624.GA10087@eldamar.local>
Date: Sat, 21 Mar 2015 10:26:24 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>,
Jelmer Vernooij <jelmer@...ian.org>
Subject: Possible CVE Request: dulwich: does not prevent to write files in
commits with invalid paths to working tree
Hi,
While looking at CVE-2014-9390 I noticed
https://lists.launchpad.net/dulwich-users/msg00827.html for dulwich reported by
Gary van der Merwe. Does the scope of CVE-2014-9390 also include these bits
from the above:
dulwich happily clones a repository which contains commit with invalid
paths, say .git/hooks/pre-commit, and thus allowing execution of code
on subsequent commits.
----cut---------cut---------cut---------cut---------cut---------cut-----
dummy@sid:~$ python PoC.py
dummy@sid:~$ dulwich clone PoC.git foo
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Total 5 (delta 0), reused 5 (delta 0)
Checking out HEADdummy@sid:~$ cd foo/
dummy@sid:~/foo$ git commit -m "test" --allow-empty
You just got cracked! (not really but you could have been!)
[master 9588153] test
dummy@sid:~/foo$ ls -l /tmp/cracked
-rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked
dummy@sid:~/foo$
----cut---------cut---------cut---------cut---------cut---------cut-----
Upstream (Jelmer Vernooij) has fixed this with commit
https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176
Does this need a separate CVE from CVE-2014-9390?
Regards,
Salvatore
View attachment "PoC.py" of type "text/x-python" (1135 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.