dulwich-users team mailing list archive

Thread
Date

Re: Git vulnerability CVE-2014-9390

To: Gary van der Merwe <garyvdm@xxxxxxxxx>, Andi McClure <andi.m.mcclure@xxxxxxxxx>
From: Jelmer Vernooij <jelmer@xxxxxxxxx>
Date: Fri, 19 Dec 2014 02:54:58 +0000
Cc: dulwich-users <dulwich-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAJixRzq5j3YuPYOAHj9+QKuDF_XBmapaAJ2+_0F6qp7ywPNStg@mail.gmail.com>
User-agent: K-9 Mail for Android

I think we do indeed want to filter out suspect paths in the tree building function. 

I'm currently travelling so won't be able to fix this soon; it'd be great if somebody contributed a fix for this.

Cheers, jelmer

On 18 December 2014 17:57:33 GMT-05:00, Gary van der Merwe <garyvdm@xxxxxxxxx> wrote:
>On Thu, Dec 18, 2014 at 11:45 PM, Andi McClure
><andi.m.mcclure@xxxxxxxxx> wrote:
>>
>> News is going around today about a potential-remote-code-execution
>vulnerability in the standard git clients:
>>
>> https://github.com/blog/1938-git-client-vulnerability-announced
>>
>> Is Dulwich potentially affected?
>
>Yes. And not only on case insensitive file systems, like with git, but
>always :-(
>
>I've attached a file to demonstrate it. It creates a repo with a
>commit of a .git/hooks/pre-commit file. Git prevents writing this file
>to the working tree, but dulwich happily writes it out.
>
>/tmp % ./cve-2014-9390-create.py
>/tmp % cd cve-2014-9390-repo.git
>/tmp/cve-2014-9390-repo.git (git)-[master] % git reset --hard
>error: Invalid path '.git/hooks/pre-commit'
>HEAD is now at 1c27312 Evil commit
>/tmp/cve-2014-9390-repo.git (git)-[master] % dulwich reset --hard
>/tmp/cve-2014-9390-repo.git (git)-[master] % git commit -m "test"
>--allow-empty
>You just got cracked! (not really but you could have been!)
>[master 29a7100] test
>
>For my own use cases of dulwich, I'm not affected by this as I only
>ever read and write directly to repos with dulwich with out checking
>out trees to a working tree.  Do other users actually use the dulwich
>index module, or porcilian commands.
>
>How do we fix this? I assume we start by filtering what we write in
>dulwich.index.build_index_from_tree? Filtering the case sensitive and
>case insensitive cases is easy, but some of the other edge cases
>("git~1" on windows, ".g\u200cit" on HFS+) are a little more tricky.
>Do we care about preventing a user from adding these paths to the
>index?
>
>
>Gary
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Mailing list: https://launchpad.net/~dulwich-users
>Post to     : dulwich-users@xxxxxxxxxxxxxxxxxxx
>Unsubscribe : https://launchpad.net/~dulwich-users
>More help   : https://help.launchpad.net/ListHelp

References

Git vulnerability CVE-2014-9390
From: Andi McClure, 2014-12-18
Re: Git vulnerability CVE-2014-9390
From: Gary van der Merwe, 2014-12-18