Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 30 Sep 2016 02:53:26 -0400 (EDT)
From: cve-assign@...re.org
To: jwilk@...lk.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: git-hub: missing sanitization of data received from GitHub

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/sociomantic-tsunami/git-hub/issues/197
> 
> When you ask it to clone a repository, it will call:
> 
>    git clone <repourl> <reponame>
> 
> where both <repourl> and <reponame> come from GitHub API, without any
> sanitization. Operators of the GitHub server (or a MitM attacker) could
> exploit it for directory traversal or, more excitingly, for arbitrary code
> execution, either via option injection, e.g.:
> 
>    git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl
> 
> or more directly with git-remote-ext, e.g.:
> 
>    git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo

Use CVE-2016-7793 for the missing validation of <repourl>, and use
CVE-2016-7794 for the missing validation of <reponame>. Roughly
speaking, the proper constraints on <reponame> will be simpler than
the proper constraints on <repourl>. We do not feel it is sensible to
break this down further (e.g., what specific validation rules are
required by not yet implemented) because the validation strategy is
still being discussed in 197.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX7gsWAAoJEHb/MwWLVhi2E8AP/j7PSkFw3SXjin0TVbXv3EmH
xSGpLV0UKT6QUwq5UOU3t8B676rCoQR3u1p401pvQRiEBnRrLk9O/Qm4aQDovXvE
NnT2D5nlc9XOOD9i2mffWsebhe/KXwIb8c9YLmBrhsIvQZxNlkn7SMz9VrkoI/Wp
6qwcl05asMSaayrkSuZs73mpQU3vF2FK04hVK/LNsUT0Sym+XZG5Ir1I9zgrNsxB
AqhdnL2ODDTIRB2f/0UQsLrokvFJwzaHfwkbUEw6g+e4e35gaPLzG7Si2o4cmGiE
+WsyGZJV9owX/0yhxJ9VMxOC9wCr8KPNX+vJjEoAJWai3kDe7xGPSAPVEhICUmCN
MfH7brfQV+wIXfqP4HTb+bFZmrkizQE4jowqqUObpWkpnAatmi8KrOTTUbx0ZIcX
vmqdaRYFkS/66SRr47Dm05hZ/6WbcEbw5IemxNJtMYjDd/lgFJb0aTiJt1LjeaUc
OzdmiD2cQRKlO7ylDsqtx0vIOC6+pM11waw+uhtwZxEHUZQrdHQ+q2sA/u6C2JEd
8jx/5b/Tnudanx3FWlVTGOkiSqMtoSCVdeC1WcAECcRfx4dT0qgkoV5kT8RlRCcD
3efnJPsEocUuPTNv22jzz+v2E8lFgjKYTmHxSLT+lG/XGmpQyIdRD+LyXebHS5Rj
CKOO5Su92yI9fZCpnboN
=2FzE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.