oss-sec mailing list archives

Re: Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree

From: cve-assign () mitre org
Date: Sun, 22 Mar 2015 13:42:07 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Does the scope of CVE-2014-9390 also include these bits
from the above:

dulwich happily clones a repository which contains commit with invalid
paths, say .git/hooks/pre-commit, and thus allowing execution of code
on subsequent commits.


No, the scope of CVE-2014-9390 does not include that. Use
CVE-2014-9706 for this vulnerability in dulwich.

The scope of CVE-2014-9390 is currently undefined, in part because
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
intentionally doesn't have any related information. Usage of
CVE-2014-9390 is, very roughly, concerned with "The string .git/ for a
directory name has always been considered Very Special. Therefore,
other strings with equivalence relationships to .git/ must also be
considered Very Special."

The root cause of the problem in dulwich seems to be "The string .git/
for a directory name was not considered Very Special." This is
completely distinct conceptually, and is a much simpler case for CVE
coverage.

There are two types of concerns with CVE-2014-9390. First,
CVE-2014-9390 can only apply to omitted equivalence-relationship
handling in source code that is, or is directly copied from, "Git
before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before
2.1.4, and 2.2.x before 2.2.1" source code. It is not possible to have
a CVE for a cross-implementation vulnerability class of this
equivalence-relationship handling. Second, usage of CVE-2014-9390
seems to span multiple types of problems, possibly including all of:

  http://cwe.mitre.org/data/definitions/178.html
  http://cwe.mitre.org/data/definitions/180.html
  http://cwe.mitre.org/data/definitions/182.html

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVDv4oAAoJEKllVAevmvmsH7EH/3hpPNXiEwIlDR24GR1NuYfi
74PTVtFPPWDajblRV+RTMbZbxp2MdtUR2AmvYYUF5YyqTAOiGm0tWB6EVARhXCMu
QBzYu/9MMUTw2cajei33bFpTfQ+M0XeYBK6Mx7hw86j4zMT2gWSzN05CDcXyaFtC
y02TbwLTGv4CShWlN3ArMaBRYhBRxtF51VnbMvYeygZokdIdNAO9VULshgbBLijc
ZMs4yH9wje9Lctz/x5T2nKEW24pm8pHQAs7v8WwWtSnQ0FfTo5vjdu+iT4zpaOSB
MYmFxjBy4T4YaWQaO/XUP+IUue1lkuwY9olTYCpTVxhD6wAY86MTSDro1QNugFk=
=sxen
-----END PGP SIGNATURE-----

Current thread:

Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree Salvatore Bonaccorso (Mar 21)
- Re: Possible CVE Request: dulwich: does not prevent to write files in commits with invalid paths to working tree cve-assign (Mar 22)