Date: Wed, 15 Apr 2020 20:59:44 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server Hi, Taylor Blau brought this to the distros list a week ago (thanks!), but unfortunately failed to follow the distros list policy (despite of being specifically informed of that requirement by distros list members, twice) to post the information to oss-security on the public disclosure date/time. So as list admin, after a delay of more than a day, I am taking over and do this (being unhappy that I have to do it for others). Quoting Taylor's original notification to distros: --- The addressed issue is: * CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero. --- I've attached Taylor's original message (sans its large attachment) to this posting. Git security releases were made and a security advisory published yesterday: https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q I've also attached a text export from the above URL to this posting. (We also have a policy in here that most essential content must be included in the posting itself rather than only linked to, so that the posting remains valuable even when the external resources are gone.) Alexander View attachment "distros-ttaylorr-20200407.txt" of type "text/plain" (1487 bytes) View attachment "GHSA-qm7j-c969-7j4q.txt" of type "text/plain" (3119 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.