mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

i believe you meant -o here, not -e. -e is escape character, while -o is to change options.

Browse source
This commit is contained in:
anarcat 2017-09-27 16:38:07 +00:00 committed by admin
parent 596698e138
commit b614f36873
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
doc/bugs/dashed_ssh_hostname_security_hole.mdwn
View file

@ -2,14 +2,14 @@ git-annex was vulnerable to the same class of security hole as
git's CVE-2017-1000117. In several cases, git-annex parses a repository git's CVE-2017-1000117. In several cases, git-annex parses a repository
url, and uses it to generate a ssh command, with the hostname to ssh to url, and uses it to generate a ssh command, with the hostname to ssh to
coming from the url. If the hostname it parses is something like coming from the url. If the hostname it parses is something like
"-eProxyCommand=evil", this could result in arbitrary local code execution "-oProxyCommand=evil", this could result in arbitrary local code execution
via ssh. via ssh.
I have not bothered to try to exploit the problem, and some details of URL I have not bothered to try to exploit the problem, and some details of URL
parsing may prevent the exploit working in some cases. parsing may prevent the exploit working in some cases.
Exploiting this would involve the attacker tricking the victim into adding Exploiting this would involve the attacker tricking the victim into adding
a remote something like "ssh://-eProxyCommand=evil/blah". a remote something like "ssh://-oProxyCommand=evil/blah".
One possible avenue for an attacker that avoids exposing the URL to the One possible avenue for an attacker that avoids exposing the URL to the
user is to use initremote with a ssh remote, so embedding the URL in the user is to use initremote with a ssh remote, so embedding the URL in the