oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: git-hub: missing sanitization of data received from GitHub

From: cve-assign () mitre org
Date: Fri, 30 Sep 2016 02:53:26 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


https://github.com/sociomantic-tsunami/git-hub/issues/197

When you ask it to clone a repository, it will call:

   git clone <repourl> <reponame>

where both <repourl> and <reponame> come from GitHub API, without any
sanitization. Operators of the GitHub server (or a MitM attacker) could
exploit it for directory traversal or, more excitingly, for arbitrary code
execution, either via option injection, e.g.:

   git clone 'git://-esystem("cowsay pwned > \x2fdev\x2ftty")/' --config=core.gitProxy=perl

or more directly with git-remote-ext, e.g.:

   git clone 'ext::sh -c cowsay% pwned% >% /dev/tty' moo


Use CVE-2016-7793 for the missing validation of <repourl>, and use
CVE-2016-7794 for the missing validation of <reponame>. Roughly
speaking, the proper constraints on <reponame> will be simpler than
the proper constraints on <repourl>. We do not feel it is sensible to
break this down further (e.g., what specific validation rules are
required by not yet implemented) because the validation strategy is
still being discussed in 197.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX7gsWAAoJEHb/MwWLVhi2E8AP/j7PSkFw3SXjin0TVbXv3EmH
xSGpLV0UKT6QUwq5UOU3t8B676rCoQR3u1p401pvQRiEBnRrLk9O/Qm4aQDovXvE
NnT2D5nlc9XOOD9i2mffWsebhe/KXwIb8c9YLmBrhsIvQZxNlkn7SMz9VrkoI/Wp
6qwcl05asMSaayrkSuZs73mpQU3vF2FK04hVK/LNsUT0Sym+XZG5Ir1I9zgrNsxB
AqhdnL2ODDTIRB2f/0UQsLrokvFJwzaHfwkbUEw6g+e4e35gaPLzG7Si2o4cmGiE
+WsyGZJV9owX/0yhxJ9VMxOC9wCr8KPNX+vJjEoAJWai3kDe7xGPSAPVEhICUmCN
MfH7brfQV+wIXfqP4HTb+bFZmrkizQE4jowqqUObpWkpnAatmi8KrOTTUbx0ZIcX
vmqdaRYFkS/66SRr47Dm05hZ/6WbcEbw5IemxNJtMYjDd/lgFJb0aTiJt1LjeaUc
OzdmiD2cQRKlO7ylDsqtx0vIOC6+pM11waw+uhtwZxEHUZQrdHQ+q2sA/u6C2JEd
8jx/5b/Tnudanx3FWlVTGOkiSqMtoSCVdeC1WcAECcRfx4dT0qgkoV5kT8RlRCcD
3efnJPsEocUuPTNv22jzz+v2E8lFgjKYTmHxSLT+lG/XGmpQyIdRD+LyXebHS5Rj
CKOO5Su92yI9fZCpnboN
=2FzE
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: