Date: Sun, 22 Mar 2015 13:42:07 -0400 (EDT) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, jelmer@...ian.org Subject: Re: Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Does the scope of CVE-2014-9390 also include these bits > from the above: > dulwich happily clones a repository which contains commit with invalid > paths, say .git/hooks/pre-commit, and thus allowing execution of code > on subsequent commits. No, the scope of CVE-2014-9390 does not include that. Use CVE-2014-9706 for this vulnerability in dulwich. The scope of CVE-2014-9390 is currently undefined, in part because http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 intentionally doesn't have any related information. Usage of CVE-2014-9390 is, very roughly, concerned with "The string .git/ for a directory name has always been considered Very Special. Therefore, other strings with equivalence relationships to .git/ must also be considered Very Special." The root cause of the problem in dulwich seems to be "The string .git/ for a directory name was not considered Very Special." This is completely distinct conceptually, and is a much simpler case for CVE coverage. There are two types of concerns with CVE-2014-9390. First, CVE-2014-9390 can only apply to omitted equivalence-relationship handling in source code that is, or is directly copied from, "Git before 188.8.131.52, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1" source code. It is not possible to have a CVE for a cross-implementation vulnerability class of this equivalence-relationship handling. Second, usage of CVE-2014-9390 seems to span multiple types of problems, possibly including all of: http://cwe.mitre.org/data/definitions/178.html http://cwe.mitre.org/data/definitions/180.html http://cwe.mitre.org/data/definitions/182.html - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVDv4oAAoJEKllVAevmvmsH7EH/3hpPNXiEwIlDR24GR1NuYfi 74PTVtFPPWDajblRV+RTMbZbxp2MdtUR2AmvYYUF5YyqTAOiGm0tWB6EVARhXCMu QBzYu/9MMUTw2cajei33bFpTfQ+M0XeYBK6Mx7hw86j4zMT2gWSzN05CDcXyaFtC y02TbwLTGv4CShWlN3ArMaBRYhBRxtF51VnbMvYeygZokdIdNAO9VULshgbBLijc ZMs4yH9wje9Lctz/x5T2nKEW24pm8pHQAs7v8WwWtSnQ0FfTo5vjdu+iT4zpaOSB MYmFxjBy4T4YaWQaO/XUP+IUue1lkuwY9olTYCpTVxhD6wAY86MTSDro1QNugFk= =sxen -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.