Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20170216110843.xvy6khoffph6yy45@jwilk.net>
Date: Thu, 16 Feb 2017 12:08:43 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: git-hub: missing sanitization of data received from GitHub

* Jakub Wilk <jwilk@...lk.net>, 2016-09-29, 17:40:
>git-hub <https://github.com/sociomantic-tsunami/git-hub> is a Git 
>command-line interface to GitHub. When you ask it to clone a 
>repository, it will call:
>
>  git clone <repourl> <reponame>
>
>where both <repourl> and <reponame> come from GitHub API, without any 
>sanitization. Operators of the GitHub server (or a MitM attacker[*]) 
>could exploit it for directory traversal or, more excitingly, for 
>arbitrary code execution, either via option injection, e.g.:
>
>  git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl
>
>or more directly with git-remote-ext, e.g.:
>
>  git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo

git-spindle is another GitHub CLI, which can be exploited in the same way:
https://github.com/seveas/git-spindle/issues/154

(git-spindle used to be called "git-hub", but this is different codebase that 
sociomantic's git-hub.)

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.