oss-sec mailing list archives

Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 21 Mar 2015 10:26:24 +0100

Hi,

While looking at CVE-2014-9390 I noticed
https://lists.launchpad.net/dulwich-users/msg00827.html for dulwich reported by
Gary van der Merwe. Does the scope of CVE-2014-9390 also include these bits
from the above:

dulwich happily clones a repository which contains commit with invalid
paths, say .git/hooks/pre-commit, and thus allowing execution of code
on subsequent commits.

----cut---------cut---------cut---------cut---------cut---------cut-----
dummy@sid:~$ python PoC.py 
dummy@sid:~$ dulwich clone PoC.git foo
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Total 5 (delta 0), reused 5 (delta 0)
Checking out HEADdummy@sid:~$ cd foo/
dummy@sid:~/foo$ git commit -m "test" --allow-empty
You just got cracked! (not really but you could have been!)
[master 9588153] test
dummy@sid:~/foo$ ls -l /tmp/cracked 
-rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked
dummy@sid:~/foo$
----cut---------cut---------cut---------cut---------cut---------cut-----

Upstream (Jelmer Vernooij) has fixed this with commit

https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176

Does this need a separate CVE from CVE-2014-9390? 

Regards,
Salvatore

Attachment: PoC.py
Description:

Current thread:

Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree Salvatore Bonaccorso (Mar 21)
- Re: Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree cve-assign (Mar 22)