mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

document CVE-2018-10859

Browse source
This commit is contained in:
Joey Hess 2018-06-21 11:27:56 -04:00
parent 22f49f216e
commit 537935333f
No known key found for this signature in database
GPG key ID: DB12DB0FF05F8F38
2 changed files with 73 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

4
doc/bugs/security_hole_private_data_exposure_via_addurl.mdwn
View file

@ -143,6 +143,7 @@ So if the attacker knows a file that the user has encrypted with any of
their gpg keys, they can provide that file, and hope it will be decrypted.
Note that this does not need a redirect to a local file or web server; the
attacker can make their web server serve up a gpg encrypted file.
This is a separate vulnerability and was assigned CVE-2018-10859.
So, content downloaded from encrypted special remotes (both internal and
external) must be rejected unless it can be verified with a hash. Then
@ -154,6 +155,9 @@ untrusted third parties, and relax that check.
> TODO
Tocho Tochev has updated git-annex-remote-pcloud to not follow http
redirects.
----
Built-in special remotes that use protocols on top of http, eg S3 and WebDAV,