Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 Apr 2020 20:59:44 +0200
From: Solar Designer <>
Subject: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server


Taylor Blau brought this to the distros list a week ago (thanks!), but
unfortunately failed to follow the distros list policy (despite of being
specifically informed of that requirement by distros list members,
twice) to post the information to oss-security on the public disclosure
date/time.  So as list admin, after a delay of more than a day, I am
taking over and do this (being unhappy that I have to do it for others).

Quoting Taylor's original notification to distros:

The addressed issue is:

 * CVE-2020-5260:
   With a crafted URL that contains a newline in it, the credential
   helper machinery can be fooled to give credential information for a
   wrong host.  The attack has been made impossible by forbidding a
   newline character in any value passed via the credential protocol.

Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.

I've attached Taylor's original message (sans its large attachment) to
this posting.

Git security releases were made and a security advisory published

I've also attached a text export from the above URL to this posting.

(We also have a policy in here that most essential content must be
included in the posting itself rather than only linked to, so that the
posting remains valuable even when the external resources are gone.)


View attachment "distros-ttaylorr-20200407.txt" of type "text/plain" (1487 bytes)

View attachment "GHSA-qm7j-c969-7j4q.txt" of type "text/plain" (3119 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.