Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Mar 2015 10:26:24 +0100
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: CVE Assignments MITRE <>,
	Jelmer Vernooij <>
Subject: Possible CVE Request: dulwich: does not prevent to write files in
 commits with invalid paths to working tree


While looking at CVE-2014-9390 I noticed for dulwich reported by
Gary van der Merwe. Does the scope of CVE-2014-9390 also include these bits
from the above:

dulwich happily clones a repository which contains commit with invalid
paths, say .git/hooks/pre-commit, and thus allowing execution of code
on subsequent commits.

dummy@sid:~$ python 
dummy@sid:~$ dulwich clone PoC.git foo
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Total 5 (delta 0), reused 5 (delta 0)
Checking out HEADdummy@sid:~$ cd foo/
dummy@sid:~/foo$ git commit -m "test" --allow-empty
You just got cracked! (not really but you could have been!)
[master 9588153] test
dummy@sid:~/foo$ ls -l /tmp/cracked 
-rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked

Upstream (Jelmer Vernooij) has fixed this with commit;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176

Does this need a separate CVE from CVE-2014-9390? 


View attachment "" of type "text/x-python" (1135 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ