Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160930065326.E65F713A5B9@smtpvmsrv1.mitre.org>
Date: Fri, 30 Sep 2016 02:53:26 -0400 (EDT)
From: cve-assign@...re.org
To: jwilk@...lk.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: git-hub: missing sanitization of data received from GitHub

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/sociomantic-tsunami/git-hub/issues/197
> 
> When you ask it to clone a repository, it will call:
> 
>    git clone <repourl> <reponame>
> 
> where both <repourl> and <reponame> come from GitHub API, without any
> sanitization. Operators of the GitHub server (or a MitM attacker) could
> exploit it for directory traversal or, more excitingly, for arbitrary code
> execution, either via option injection, e.g.:
> 
>    git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl
> 
> or more directly with git-remote-ext, e.g.:
> 
>    git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo

Use CVE-2016-7793 for the missing validation of <repourl>, and use
CVE-2016-7794 for the missing validation of <reponame>. Roughly
speaking, the proper constraints on <reponame> will be simpler than
the proper constraints on <repourl>. We do not feel it is sensible to
break this down further (e.g., what specific validation rules are
required by not yet implemented) because the validation strategy is
still being discussed in 197.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX7gsWAAoJEHb/MwWLVhi2E8AP/j7PSkFw3SXjin0TVbXv3EmH
xSGpLV0UKT6QUwq5UOU3t8B676rCoQR3u1p401pvQRiEBnRrLk9O/Qm4aQDovXvE
NnT2D5nlc9XOOD9i2mffWsebhe/KXwIb8c9YLmBrhsIvQZxNlkn7SMz9VrkoI/Wp
6qwcl05asMSaayrkSuZs73mpQU3vF2FK04hVK/LNsUT0Sym+XZG5Ir1I9zgrNsxB
AqhdnL2ODDTIRB2f/0UQsLrokvFJwzaHfwkbUEw6g+e4e35gaPLzG7Si2o4cmGiE
+WsyGZJV9owX/0yhxJ9VMxOC9wCr8KPNX+vJjEoAJWai3kDe7xGPSAPVEhICUmCN
MfH7brfQV+wIXfqP4HTb+bFZmrkizQE4jowqqUObpWkpnAatmi8KrOTTUbx0ZIcX
vmqdaRYFkS/66SRr47Dm05hZ/6WbcEbw5IemxNJtMYjDd/lgFJb0aTiJt1LjeaUc
OzdmiD2cQRKlO7ylDsqtx0vIOC6+pM11waw+uhtwZxEHUZQrdHQ+q2sA/u6C2JEd
8jx/5b/Tnudanx3FWlVTGOkiSqMtoSCVdeC1WcAECcRfx4dT0qgkoV5kT8RlRCcD
3efnJPsEocUuPTNv22jzz+v2E8lFgjKYTmHxSLT+lG/XGmpQyIdRD+LyXebHS5Rj
CKOO5Su92yI9fZCpnboN
=2FzE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.