oss-sec mailing list archives
Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 21 Mar 2015 10:26:24 +0100
Hi, While looking at CVE-2014-9390 I noticed https://lists.launchpad.net/dulwich-users/msg00827.html for dulwich reported by Gary van der Merwe. Does the scope of CVE-2014-9390 also include these bits from the above: dulwich happily clones a repository which contains commit with invalid paths, say .git/hooks/pre-commit, and thus allowing execution of code on subsequent commits. ----cut---------cut---------cut---------cut---------cut---------cut----- dummy@sid:~$ python PoC.py dummy@sid:~$ dulwich clone PoC.git foo Counting objects: 5, done. Compressing objects: 100% (2/2), done. Total 5 (delta 0), reused 5 (delta 0) Checking out HEADdummy@sid:~$ cd foo/ dummy@sid:~/foo$ git commit -m "test" --allow-empty You just got cracked! (not really but you could have been!) [master 9588153] test dummy@sid:~/foo$ ls -l /tmp/cracked -rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked dummy@sid:~/foo$ ----cut---------cut---------cut---------cut---------cut---------cut----- Upstream (Jelmer Vernooij) has fixed this with commit https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176 Does this need a separate CVE from CVE-2014-9390? Regards, Salvatore
Attachment:
PoC.py
Description:
Current thread:
- Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree Salvatore Bonaccorso (Mar 21)