Date: Mon, 23 Nov 2015 13:13:08 +0100 From: Jan Rusnacko <jrusnack@...hat.com> To: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: CVE Request: git On 10/06/2015 05:56 AM, Seth Arnold wrote: > Hello MITRE, all, > > The git project announced v2.6.1 https://lkml.org/lkml/2015/10/5/683 > and included the following text: > > * Some protocols (like git-remote-ext) can execute arbitrary code > found in the URL. The URLs that submodules use may come > from arbitrary sources (e.g., .gitmodules files in a remote > repository), and can hurt those who blindly enable recursive > fetch. Restrict the allowed protocols to well known and > safe ones. > > The following commits appear to implement the restrictions: > > https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/ > https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/ > https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/ > https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/ > https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/ > > I do not know if this is exhaustive. > > The announcement also mentions some int-based overflows but does not > describe any situations that would allow crossing privilege boundaries. > > Please assign CVEs as appropriate. Can CVE be assigned to this vulnerability please? -- Jan Rusnacko, Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ