Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160929154004.kphifrcks2b7boh6@jwilk.net>
Date: Thu, 29 Sep 2016 17:40:04 +0200
From: Jakub Wilk <jwilk@...lk.net>
To: oss-security@...ts.openwall.com
Subject: git-hub: missing sanitization of data received from GitHub

git-hub <https://github.com/sociomantic-tsunami/git-hub> is a Git command-line 
interface to GitHub. When you ask it to clone a repository, it will call:

   git clone <repourl> <reponame>

where both <repourl> and <reponame> come from GitHub API, without any 
sanitization. Operators of the GitHub server (or a MitM attacker[*]) could 
exploit it for directory traversal or, more excitingly, for arbitrary code 
execution, either via option injection, e.g.:

   git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl

or more directly with git-remote-ext, e.g.:

   git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo


Upstream bug report:
https://github.com/sociomantic-tsunami/git-hub/issues/197


[*] git-hub is implemented in Python, which didn't verify HTTPS certificates 
before 2.7.9; and git-hub doesn't enable verification on its own either.

-- 
Jakub Wilk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.