← Back to team overview

dulwich-users team mailing list archive

Re: Git vulnerability CVE-2014-9390


I think we do indeed want to filter out suspect paths in the tree building function. 

I'm currently travelling so won't be able to fix this soon; it'd be great if somebody contributed a fix for this.

Cheers, jelmer

On 18 December 2014 17:57:33 GMT-05:00, Gary van der Merwe <garyvdm@xxxxxxxxx> wrote:
>On Thu, Dec 18, 2014 at 11:45 PM, Andi McClure
><andi.m.mcclure@xxxxxxxxx> wrote:
>> News is going around today about a potential-remote-code-execution
>vulnerability in the standard git clients:
>> https://github.com/blog/1938-git-client-vulnerability-announced
>> Is Dulwich potentially affected?
>Yes. And not only on case insensitive file systems, like with git, but
>always :-(
>I've attached a file to demonstrate it. It creates a repo with a
>commit of a .git/hooks/pre-commit file. Git prevents writing this file
>to the working tree, but dulwich happily writes it out.
>/tmp % ./cve-2014-9390-create.py
>/tmp % cd cve-2014-9390-repo.git
>/tmp/cve-2014-9390-repo.git (git)-[master] % git reset --hard
>error: Invalid path '.git/hooks/pre-commit'
>HEAD is now at 1c27312 Evil commit
>/tmp/cve-2014-9390-repo.git (git)-[master] % dulwich reset --hard
>/tmp/cve-2014-9390-repo.git (git)-[master] % git commit -m "test"
>You just got cracked! (not really but you could have been!)
>[master 29a7100] test
>For my own use cases of dulwich, I'm not affected by this as I only
>ever read and write directly to repos with dulwich with out checking
>out trees to a working tree.  Do other users actually use the dulwich
>index module, or porcilian commands.
>How do we fix this? I assume we start by filtering what we write in
>dulwich.index.build_index_from_tree? Filtering the case sensitive and
>case insensitive cases is easy, but some of the other edge cases
>("git~1" on windows, ".g\u200cit" on HFS+) are a little more tricky.
>Do we care about preventing a user from adding these paths to the
>Mailing list: https://launchpad.net/~dulwich-users
>Post to     : dulwich-users@xxxxxxxxxxxxxxxxxxx
>Unsubscribe : https://launchpad.net/~dulwich-users
>More help   : https://help.launchpad.net/ListHelp