Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Mar 2015 13:42:07 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, jelmer@...ian.org
Subject: Re: Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Does the scope of CVE-2014-9390 also include these bits
> from the above:

> dulwich happily clones a repository which contains commit with invalid
> paths, say .git/hooks/pre-commit, and thus allowing execution of code
> on subsequent commits.

No, the scope of CVE-2014-9390 does not include that. Use
CVE-2014-9706 for this vulnerability in dulwich.

The scope of CVE-2014-9390 is currently undefined, in part because
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
intentionally doesn't have any related information. Usage of
CVE-2014-9390 is, very roughly, concerned with "The string .git/ for a
directory name has always been considered Very Special. Therefore,
other strings with equivalence relationships to .git/ must also be
considered Very Special."

The root cause of the problem in dulwich seems to be "The string .git/
for a directory name was not considered Very Special." This is
completely distinct conceptually, and is a much simpler case for CVE
coverage.

There are two types of concerns with CVE-2014-9390. First,
CVE-2014-9390 can only apply to omitted equivalence-relationship
handling in source code that is, or is directly copied from, "Git
before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before
2.1.4, and 2.2.x before 2.2.1" source code. It is not possible to have
a CVE for a cross-implementation vulnerability class of this
equivalence-relationship handling. Second, usage of CVE-2014-9390
seems to span multiple types of problems, possibly including all of:

  http://cwe.mitre.org/data/definitions/178.html
  http://cwe.mitre.org/data/definitions/180.html
  http://cwe.mitre.org/data/definitions/182.html

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVDv4oAAoJEKllVAevmvmsH7EH/3hpPNXiEwIlDR24GR1NuYfi
74PTVtFPPWDajblRV+RTMbZbxp2MdtUR2AmvYYUF5YyqTAOiGm0tWB6EVARhXCMu
QBzYu/9MMUTw2cajei33bFpTfQ+M0XeYBK6Mx7hw86j4zMT2gWSzN05CDcXyaFtC
y02TbwLTGv4CShWlN3ArMaBRYhBRxtF51VnbMvYeygZokdIdNAO9VULshgbBLijc
ZMs4yH9wje9Lctz/x5T2nKEW24pm8pHQAs7v8WwWtSnQ0FfTo5vjdu+iT4zpaOSB
MYmFxjBy4T4YaWQaO/XUP+IUue1lkuwY9olTYCpTVxhD6wAY86MTSDro1QNugFk=
=sxen
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.