diff options
author | Joey Hess <joeyh@joeyh.name> | 2017-08-17 22:11:31 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2017-08-17 22:11:31 -0400 |
commit | c1aec2ae837c24b602c7a0ca3fc7b0fcad565758 (patch) | |
tree | 6ce58560d65d4a3a6529569cfdde4c80b6b5e5bf /CHANGELOG | |
parent | d998fce1481a4bc7779e21cb2ff6a0fa42d72c7a (diff) |
avoid the dashed ssh hostname class of security holes
Security fix: Disallow hostname starting with a dash, which would get
passed to ssh and be treated an option. This could be used by an attacker
who provides a crafted ssh url (for eg a git remote) to execute arbitrary
code via ssh -oProxyCommand.
No CVE has yet been assigned for this hole.
The same class of security hole recently affected git itself,
CVE-2017-1000117.
Method: Identified all places where ssh is run, by git grep '"ssh"'
Converted them all to use a SshHost, if they did not already, for
specifying the hostname.
SshHost was made a data type with a smart constructor, which rejects
hostnames starting with '-'.
Note that git-annex already contains extensive use of Utility.SafeCommand,
which fixes a similar class of problem where a filename starting with a
dash gets passed to a program which treats it as an option.
This commit was sponsored by Jochen Bartl on Patreon.
Diffstat (limited to 'CHANGELOG')
-rw-r--r-- | CHANGELOG | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -1,5 +1,10 @@ git-annex (6.20170521) UNRELEASED; urgency=medium + * Security fix: Disallow hostname starting with a dash, which + would get passed to ssh and be treated an option. This could + be used by an attacker who provides a crafted ssh url to execute + arbitrary code via -oProxyCommand. + (The same class of security hole recently affected git itself.) * Fix build with QuickCheck 2.10. * fsck: Support --json. * Added GIT_ANNEX_VECTOR_CLOCK environment variable, which can be used to |