diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2017-08-18 11:36:34 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2017-08-18 11:36:34 -0400 |
| commit | 6b7bad9d7eefa17f4c3a0baa14fb2b89d6c2a319 (patch) | |
| tree | d740a7684979bf893e2fad67704f2b4ca39fc1c9 | |
| parent | 66e7b62912d48d18f8d82535e8f3a51a22d7b566 (diff) | |
add bug for security hole, with exploit details
| -rw-r--r-- | doc/bugs/dashed_ssh_hostname_security_hole.mdwn | 25 | ||||
| -rw-r--r-- | doc/news/version_6.20170818.mdwn | 9 |
2 files changed, 31 insertions, 3 deletions
diff --git a/doc/bugs/dashed_ssh_hostname_security_hole.mdwn b/doc/bugs/dashed_ssh_hostname_security_hole.mdwn new file mode 100644 index 000000000..3afe367ac --- /dev/null +++ b/doc/bugs/dashed_ssh_hostname_security_hole.mdwn @@ -0,0 +1,25 @@ +git-annex was vulnerable to the same class of security hole as +git's CVE-2017-1000117. In several cases, git-annex parses a repository +url, and uses it to generate a ssh command, with the hostname to ssh to +coming from the url. If the hostname it parses is something like +"-eProxyCommand=evil", this could result in arbitrary local code execution +via ssh. + +I have not bothered to try to exploit the problem, and some details of URL +parsing may prevent the exploit working in some cases. + +Exploiting this would involve the attacker tricking the victim into adding +a remote something like "ssh://-eProxyCommand=evil/blah". + +One possible avenue for an attacker that avoids exposing the URL to the +user is to use initremote with a ssh remote, so embedding the URL in the +git-annex branch. Then the victim would enable it with enableremote. + +This was fixed in version 6.20170818. Now there's a SshHost type that +is not allowed to start with a dash, and every invocation of git-annex is +in a function that takes a SshHost. + +[[done]] + +--[[Joey]] + diff --git a/doc/news/version_6.20170818.mdwn b/doc/news/version_6.20170818.mdwn index 09cb8172a..97ad292ea 100644 --- a/doc/news/version_6.20170818.mdwn +++ b/doc/news/version_6.20170818.mdwn @@ -1,6 +1,9 @@ -**Note** this is a security fix release. While the security -hole needs perhaps some social engineering to exploit, a prompt upgrade is -strongly recommended. +**Note** this is a security fix release. A prompt upgrade is strongly +recommended. Attacks using this security hole will involve the attacker +either providing a ssh repository url to the user, or the user pulling from +a git-annex repository provided by an attacker and then running `git annex +enableremote`. For details about the security hole, see +[[bugs/dashed_ssh_hostname_security_hole]]. git-annex 6.20170818 released with [[!toggle text="these changes"]] [[!toggleable text=""" |