oss-sec mailing list archives

CVE Request: git

From: Seth Arnold <seth.arnold () canonical com>
Date: Mon, 5 Oct 2015 20:56:47 -0700

Hello MITRE, all,

The git project announced v2.6.1 https://lkml.org/lkml/2015/10/5/683
and included the following text:

         * Some protocols (like git-remote-ext) can execute arbitrary code
           found in the URL. The URLs that submodules use may come
           from arbitrary sources (e.g., .gitmodules files in a remote
           repository), and can hurt those who blindly enable recursive
           fetch. Restrict the allowed protocols to well known and
           safe ones.

The following commits appear to implement the restrictions:

https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/

I do not know if this is exhaustive.

The announcement also mentions some int-based overflows but does not
describe any situations that would allow crossing privilege boundaries.

Please assign CVEs as appropriate.

Thanks

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE Request: git Seth Arnold (Oct 05)
- Re: CVE Request: git Blake Burkhart (Oct 12)
- Re: CVE Request: git Jan Rusnacko (Nov 23)