[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: git
From:       Jan Rusnacko <jrusnack () redhat ! com>
Date:       2015-11-23 12:13:08
Message-ID: 565302D4.2020900 () redhat ! com
[Download RAW message or body]

On 10/06/2015 05:56 AM, Seth Arnold wrote:
> Hello MITRE, all,
> 
> The git project announced v2.6.1 https://lkml.org/lkml/2015/10/5/683
> and included the following text:
> 
> 	 * Some protocols (like git-remote-ext) can execute arbitrary code
> 	   found in the URL. The URLs that submodules use may come
> 	   from arbitrary sources (e.g., .gitmodules files in a remote
> 	   repository), and can hurt those who blindly enable recursive
> 	   fetch. Restrict the allowed protocols to well known and
> 	   safe ones.
> 
> The following commits appear to implement the restrictions:
> 
> https://kernel.googlesource.com/pub/scm/git/git/+/a5adaced2e13c135d5d9cc65be9eb95aa3bacedf%5E%21/
> https://kernel.googlesource.com/pub/scm/git/git/+/33cfccbbf35a56e190b79bdec5c85457c952a021%5E%21/
> https://kernel.googlesource.com/pub/scm/git/git/+/5088d3b38775f8ac12d7f77636775b16059b67ef%5E%21/
> https://kernel.googlesource.com/pub/scm/git/git/+/f4113cac0c88b4f36ee6f3abf3218034440a68e3%5E%21/
> https://kernel.googlesource.com/pub/scm/git/git/+/b258116462399b318c86165c61a5c7123043cfd4%5E%21/
> 
> I do not know if this is exhaustive.
> 
> The announcement also mentions some int-based overflows but does not
> describe any situations that would allow crossing privilege boundaries.
> 
> Please assign CVEs as appropriate.

Can CVE be assigned to this vulnerability please?

-- 
Jan Rusnacko, Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]