oss-sec mailing list archives
Re: git-hub: missing sanitization of data received from GitHub
From: cve-assign () mitre org
Date: Fri, 30 Sep 2016 02:53:26 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://github.com/sociomantic-tsunami/git-hub/issues/197 When you ask it to clone a repository, it will call: git clone <repourl> <reponame> where both <repourl> and <reponame> come from GitHub API, without any sanitization. Operators of the GitHub server (or a MitM attacker) could exploit it for directory traversal or, more excitingly, for arbitrary code execution, either via option injection, e.g.: git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl or more directly with git-remote-ext, e.g.: git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo
Use CVE-2016-7793 for the missing validation of <repourl>, and use CVE-2016-7794 for the missing validation of <reponame>. Roughly speaking, the proper constraints on <reponame> will be simpler than the proper constraints on <repourl>. We do not feel it is sensible to break this down further (e.g., what specific validation rules are required by not yet implemented) because the validation strategy is still being discussed in 197. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX7gsWAAoJEHb/MwWLVhi2E8AP/j7PSkFw3SXjin0TVbXv3EmH xSGpLV0UKT6QUwq5UOU3t8B676rCoQR3u1p401pvQRiEBnRrLk9O/Qm4aQDovXvE NnT2D5nlc9XOOD9i2mffWsebhe/KXwIb8c9YLmBrhsIvQZxNlkn7SMz9VrkoI/Wp 6qwcl05asMSaayrkSuZs73mpQU3vF2FK04hVK/LNsUT0Sym+XZG5Ir1I9zgrNsxB AqhdnL2ODDTIRB2f/0UQsLrokvFJwzaHfwkbUEw6g+e4e35gaPLzG7Si2o4cmGiE +WsyGZJV9owX/0yhxJ9VMxOC9wCr8KPNX+vJjEoAJWai3kDe7xGPSAPVEhICUmCN MfH7brfQV+wIXfqP4HTb+bFZmrkizQE4jowqqUObpWkpnAatmi8KrOTTUbx0ZIcX vmqdaRYFkS/66SRr47Dm05hZ/6WbcEbw5IemxNJtMYjDd/lgFJb0aTiJt1LjeaUc OzdmiD2cQRKlO7ylDsqtx0vIOC6+pM11waw+uhtwZxEHUZQrdHQ+q2sA/u6C2JEd 8jx/5b/Tnudanx3FWlVTGOkiSqMtoSCVdeC1WcAECcRfx4dT0qgkoV5kT8RlRCcD 3efnJPsEocUuPTNv22jzz+v2E8lFgjKYTmHxSLT+lG/XGmpQyIdRD+LyXebHS5Rj CKOO5Su92yI9fZCpnboN =2FzE -----END PGP SIGNATURE-----
Current thread:
- git-hub: missing sanitization of data received from GitHub Jakub Wilk (Sep 29)
- Re: git-hub: missing sanitization of data received from GitHub cve-assign (Sep 29)