'[oss-security] Re: git-hub: missing sanitization of data received from GitHub'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: git-hub: missing sanitization of data received from GitHub
From:       cve-assign () mitre ! org
Date:       2016-09-30 6:53:26
Message-ID: 20160930065326.E65F713A5B9 () smtpvmsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/sociomantic-tsunami/git-hub/issues/197
> 
> When you ask it to clone a repository, it will call:
> 
>    git clone <repourl> <reponame>
> 
> where both <repourl> and <reponame> come from GitHub API, without any
> sanitization. Operators of the GitHub server (or a MitM attacker) could
> exploit it for directory traversal or, more excitingly, for arbitrary code
> execution, either via option injection, e.g.:
> 
>    git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl
> 
> or more directly with git-remote-ext, e.g.:
> 
>    git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo

Use CVE-2016-7793 for the missing validation of <repourl>, and use
CVE-2016-7794 for the missing validation of <reponame>. Roughly
speaking, the proper constraints on <reponame> will be simpler than
the proper constraints on <repourl>. We do not feel it is sensible to
break this down further (e.g., what specific validation rules are
required by not yet implemented) because the validation strategy is
still being discussed in 197.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX7gsWAAoJEHb/MwWLVhi2E8AP/j7PSkFw3SXjin0TVbXv3EmH
xSGpLV0UKT6QUwq5UOU3t8B676rCoQR3u1p401pvQRiEBnRrLk9O/Qm4aQDovXvE
NnT2D5nlc9XOOD9i2mffWsebhe/KXwIb8c9YLmBrhsIvQZxNlkn7SMz9VrkoI/Wp
6qwcl05asMSaayrkSuZs73mpQU3vF2FK04hVK/LNsUT0Sym+XZG5Ir1I9zgrNsxB
AqhdnL2ODDTIRB2f/0UQsLrokvFJwzaHfwkbUEw6g+e4e35gaPLzG7Si2o4cmGiE
+WsyGZJV9owX/0yhxJ9VMxOC9wCr8KPNX+vJjEoAJWai3kDe7xGPSAPVEhICUmCN
MfH7brfQV+wIXfqP4HTb+bFZmrkizQE4jowqqUObpWkpnAatmi8KrOTTUbx0ZIcX
vmqdaRYFkS/66SRr47Dm05hZ/6WbcEbw5IemxNJtMYjDd/lgFJb0aTiJt1LjeaUc
OzdmiD2cQRKlO7ylDsqtx0vIOC6+pM11waw+uhtwZxEHUZQrdHQ+q2sA/u6C2JEd
8jx/5b/Tnudanx3FWlVTGOkiSqMtoSCVdeC1WcAECcRfx4dT0qgkoV5kT8RlRCcD
3efnJPsEocUuPTNv22jzz+v2E8lFgjKYTmHxSLT+lG/XGmpQyIdRD+LyXebHS5Rj
CKOO5Su92yI9fZCpnboN
=2FzE
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic