add security page with current and past security holes
This commit is contained in:
parent
cc08135e65
commit
71d39caf5c
7 changed files with 82 additions and 10 deletions
|
@ -21,10 +21,6 @@ In either case, git-annex gets the content of the annexed file, following
|
||||||
the file:// url. Then git-annex transfers the content back to the
|
the file:// url. Then git-annex transfers the content back to the
|
||||||
attacker's repository.
|
attacker's repository.
|
||||||
|
|
||||||
Note that the victim can always detect this attack after the fact, since
|
|
||||||
even if the attacker deletes the file, the git history will still
|
|
||||||
contain it.
|
|
||||||
|
|
||||||
It may also be possible to exploit scp:// sftp:// smb:// etc urls to get at
|
It may also be possible to exploit scp:// sftp:// smb:// etc urls to get at
|
||||||
files on other computers that the user has access to as well as localhost.
|
files on other computers that the user has access to as well as localhost.
|
||||||
I was not able to get curl to download from scp:// or sftp:// on debian
|
I was not able to get curl to download from scp:// or sftp:// on debian
|
||||||
|
@ -108,7 +104,7 @@ May have to disable use of http proxies unless
|
||||||
Or better, find what http proxy is enabled and prevent using it if it's on
|
Or better, find what http proxy is enabled and prevent using it if it's on
|
||||||
an IP not allowed there.
|
an IP not allowed there.
|
||||||
|
|
||||||
> TODO
|
> done in [[!commit cc08135e659d3ca9ea157246433d8aa90de3baf7]]
|
||||||
|
|
||||||
----
|
----
|
||||||
|
|
||||||
|
@ -122,8 +118,8 @@ in response to a TRANSFER RETRIEVE will have the same problems as
|
||||||
git-annex's url downloading.
|
git-annex's url downloading.
|
||||||
|
|
||||||
> Checked all known external special remotes
|
> Checked all known external special remotes
|
||||||
> to see if they used GETURLS; only one that did is ipfs, which doesn't use
|
> to see if they used GETURLS. ipfs did, but not in an exploitable way.
|
||||||
> http so is ok.
|
> datalad does; looped in its developers to asess. Rest appear not to.
|
||||||
|
|
||||||
> TODO document this security issue in special remote protocol page
|
> TODO document this security issue in special remote protocol page
|
||||||
|
|
||||||
|
@ -195,5 +191,9 @@ youtube-dl
|
||||||
glacier
|
glacier
|
||||||
|
|
||||||
> This special remote uses glacier-cli, which will need to be audited.
|
> This special remote uses glacier-cli, which will need to be audited.
|
||||||
> Emailed basak.
|
> Emailed Robie Basak about it, and he looked into the http libraries
|
||||||
> TODO
|
> used by glacier-cli and boto. It appears that they do not support
|
||||||
|
> file:///. It also appears that the libraries do not handle redirects
|
||||||
|
> themselves, and that boto does not handle http redirects. glacier-cli
|
||||||
|
> uses https. Combining all this, it seems that glacier-cli is not
|
||||||
|
> vulnerable to this class of attacks.
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
[[!if test="news/*" then="""
|
[[!if test="news/*" then="""
|
||||||
This is where announcements of new releases, features, and other news is
|
This is where announcements of new releases, features, and other news is
|
||||||
posted. git-annex users are recommended to subscribe to this page's RSS
|
posted. git-annex users are recommended to subscribe to this page's RSS
|
||||||
feed.
|
feed. Also, see [[security]] for security announcements.
|
||||||
|
|
||||||
[[!inline pages="./news/* and !./news/*/* and !*/Discussion" rootpage="news" show="30"]]
|
[[!inline pages="./news/* and !./news/*/* and !*/Discussion" rootpage="news" show="30"]]
|
||||||
|
|
||||||
|
|
4
doc/security.mdwn
Normal file
4
doc/security.mdwn
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
Information about all known security holes in git-annex, and their fixes.
|
||||||
|
Subscribe to the RSS feed to be kept up to date.
|
||||||
|
|
||||||
|
[[!inline pages="./security/* and !./security/*/* and !*/Discussion" rootpage="security" show="0"]]
|
10
doc/security/CVE-2014-6274.mdwn
Normal file
10
doc/security/CVE-2014-6274.mdwn
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
CVE-2014-6274: Security fix for S3 and glacier when using embedcreds=yes with
|
||||||
|
encryption=pubkey or encryption=hybrid.
|
||||||
|
|
||||||
|
The creds embedded in the git repo were *not* encrypted.
|
||||||
|
git-annex enableremote will warn when used on a remote that has
|
||||||
|
this problem. For details, see [[upgrades/insecure_embedded_creds]].
|
||||||
|
|
||||||
|
Fixed in git-annex 5.20140919.
|
||||||
|
|
||||||
|
[[!meta date="Fri, 19 Sep 2014 12:53:42 -0400"]]
|
10
doc/security/CVE-2017-12976.mdwn
Normal file
10
doc/security/CVE-2017-12976.mdwn
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
CVE-2017-12976: A hostname starting with a dash would get passed to ssh and be treated as
|
||||||
|
an option. This could be used by an attacker who provides a crafted
|
||||||
|
repository url to cause the victim to execute arbitrary code via
|
||||||
|
`-oProxyCommand`.
|
||||||
|
|
||||||
|
Fixed in git-annex 6.20170818
|
||||||
|
|
||||||
|
This is related to a git security hole, [CVE-2017-1000117](https://marc.info/?l=git&m=150238802328673&w=2).
|
||||||
|
|
||||||
|
[[!meta date="Fri, 18 Aug 2017 11:19:06 -0400"]]
|
|
@ -0,0 +1,12 @@
|
||||||
|
A bug exposed the checksum of annexed files to encrypted
|
||||||
|
special remotes, which are not supposed to have access to the checksum of
|
||||||
|
the un-encrypted file. This only occurred when resuming uploads to the
|
||||||
|
encrypted special remote, so it is considered a low-severity security hole.
|
||||||
|
|
||||||
|
For details, see [[!commit b890f3a53d936b5e40aa9acc5876cb98f18b9657]]
|
||||||
|
|
||||||
|
No CVE was assigned for this issue.
|
||||||
|
|
||||||
|
Fixed in git-annex 6.20160419
|
||||||
|
|
||||||
|
[[!meta date="Thu, 28 Apr 2016 09:31:14 -0400"]]
|
36
doc/security/private_data_exposure.mdwn
Normal file
36
doc/security/private_data_exposure.mdwn
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
Some uses of git-annex were vulnerable to a private data exposure and
|
||||||
|
exfiltration attack. It could expose the content of files located
|
||||||
|
outside the git-annex repository, or content from a private
|
||||||
|
web server on localhost or the LAN.
|
||||||
|
|
||||||
|
This was fixed in git-annex 6.20180622.
|
||||||
|
|
||||||
|
## details
|
||||||
|
|
||||||
|
The attacker needed to have control over one of the remotes of the git-annex
|
||||||
|
repository. For example, they may provide a public git-annex repository that
|
||||||
|
the victim clones. Or the victim may have paired repositories with them. Or,
|
||||||
|
equivilantly, the attacker could have read access to the victim's git-annex
|
||||||
|
repository (eg on a server somewhere), and some channel to get commits into it
|
||||||
|
(eg a pull requests).
|
||||||
|
|
||||||
|
The attacker does `git-annex addurl --relaxed file:///etc/passwd` and commits
|
||||||
|
this to the repository in some out of the way place. Then they wait for the
|
||||||
|
victim to pull the change. (As well as `file:///` urls, the attacker can
|
||||||
|
use urls to private web servers. The url can also be one that the attacker
|
||||||
|
controls, that redirects to such urls.)
|
||||||
|
|
||||||
|
The easiest exploit is when the victim is running the git-annex assistant, or
|
||||||
|
is periodically doing `git annex sync --content`. The victim may also perform
|
||||||
|
the equivilant actions manually, not noticing they're operating on the file.
|
||||||
|
|
||||||
|
In either case, git-annex gets the content of the annexed file, following
|
||||||
|
the attacker-provider url to private data. Then git-annex transfers the content
|
||||||
|
back to the attacker's repository.
|
||||||
|
|
||||||
|
This attack was fixed by making git-annex refuse to follow `file:///` urls
|
||||||
|
and urls pointing to private/local IP addresses by default. Two new
|
||||||
|
configuration settings, annex.security.allowed-url-schemes and
|
||||||
|
annex.security.allowed-http-addresses, can relax this security policy,
|
||||||
|
and are intended for cases where the git-annex repository is kept
|
||||||
|
private and so the attack does not apply.
|
Loading…
Reference in a new issue