Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 Feb 2017 12:08:43 +0100
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: Re: git-hub: missing sanitization of data received from GitHub

* Jakub Wilk <jwilk@...lk.net>, 2016-09-29, 17:40:
>git-hub <https://github.com/sociomantic-tsunami/git-hub> is a Git 
>command-line interface to GitHub. When you ask it to clone a 
>repository, it will call:
>
>  git clone <repourl> <reponame>
>
>where both <repourl> and <reponame> come from GitHub API, without any 
>sanitization. Operators of the GitHub server (or a MitM attacker[*]) 
>could exploit it for directory traversal or, more excitingly, for 
>arbitrary code execution, either via option injection, e.g.:
>
>  git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl
>
>or more directly with git-remote-ext, e.g.:
>
>  git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo

git-spindle is another GitHub CLI, which can be exploited in the same way:
https://github.com/seveas/git-spindle/issues/154

(git-spindle used to be called "git-hub", but this is different codebase that 
sociomantic's git-hub.)

-- 
Jakub Wilk

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ