From c1aec2ae837c24b602c7a0ca3fc7b0fcad565758 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 17 Aug 2017 22:11:31 -0400 Subject: avoid the dashed ssh hostname class of security holes Security fix: Disallow hostname starting with a dash, which would get passed to ssh and be treated an option. This could be used by an attacker who provides a crafted ssh url (for eg a git remote) to execute arbitrary code via ssh -oProxyCommand. No CVE has yet been assigned for this hole. The same class of security hole recently affected git itself, CVE-2017-1000117. Method: Identified all places where ssh is run, by git grep '"ssh"' Converted them all to use a SshHost, if they did not already, for specifying the hostname. SshHost was made a data type with a smart constructor, which rejects hostnames starting with '-'. Note that git-annex already contains extensive use of Utility.SafeCommand, which fixes a similar class of problem where a filename starting with a dash gets passed to a program which treats it as an option. This commit was sponsored by Jochen Bartl on Patreon. --- CHANGELOG | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'CHANGELOG') diff --git a/CHANGELOG b/CHANGELOG index 603b7dc65..f3b36bf00 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,10 @@ git-annex (6.20170521) UNRELEASED; urgency=medium + * Security fix: Disallow hostname starting with a dash, which + would get passed to ssh and be treated an option. This could + be used by an attacker who provides a crafted ssh url to execute + arbitrary code via -oProxyCommand. + (The same class of security hole recently affected git itself.) * Fix build with QuickCheck 2.10. * fsck: Support --json. * Added GIT_ANNEX_VECTOR_CLOCK environment variable, which can be used to -- cgit v1.2.3