Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Mar 2015 10:26:24 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>,
	Jelmer Vernooij <jelmer@...ian.org>
Subject: Possible CVE Request: dulwich: does not prevent to write files in
 commits with invalid paths to working tree

Hi,

While looking at CVE-2014-9390 I noticed
https://lists.launchpad.net/dulwich-users/msg00827.html for dulwich reported by
Gary van der Merwe. Does the scope of CVE-2014-9390 also include these bits
from the above:

dulwich happily clones a repository which contains commit with invalid
paths, say .git/hooks/pre-commit, and thus allowing execution of code
on subsequent commits.

----cut---------cut---------cut---------cut---------cut---------cut-----
dummy@...:~$ python PoC.py 
dummy@...:~$ dulwich clone PoC.git foo
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Total 5 (delta 0), reused 5 (delta 0)
Checking out HEADdummy@...:~$ cd foo/
dummy@...:~/foo$ git commit -m "test" --allow-empty
You just got cracked! (not really but you could have been!)
[master 9588153] test
dummy@...:~/foo$ ls -l /tmp/cracked 
-rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked
dummy@...:~/foo$
----cut---------cut---------cut---------cut---------cut---------cut-----

Upstream (Jelmer Vernooij) has fixed this with commit

https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176

Does this need a separate CVE from CVE-2014-9390? 

Regards,
Salvatore

View attachment "PoC.py" of type "text/x-python" (1135 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ