add bug for security hole, with exploit details

2017-08-18 11:36:34 -04:00 · 2017-08-18 11:36:34 -04:00 · c24d0f0e89
commit c24d0f0e89
parent ef8b1d86bf
2 changed files with 31 additions and 3 deletions
--- a/doc/bugs/dashed_ssh_hostname_security_hole.mdwn
+++ b/doc/bugs/dashed_ssh_hostname_security_hole.mdwn
@ -0,0 +1,25 @@
+git-annex was vulnerable to the same class of security hole as
+git's CVE-2017-1000117. In several cases, git-annex parses a repository
+url, and uses it to generate a ssh command, with the hostname to ssh to
+coming from the url. If the hostname it parses is something like
+"-eProxyCommand=evil", this could result in arbitrary local code execution
+via ssh.
+
+I have not bothered to try to exploit the problem, and some details of URL
+parsing may prevent the exploit working in some cases.
+
+Exploiting this would involve the attacker tricking the victim into adding
+a remote something like "ssh://-eProxyCommand=evil/blah".
+
+One possible avenue for an attacker that avoids exposing the URL to the
+user is to use initremote with a ssh remote, so embedding the URL in the
+git-annex branch. Then the victim would enable it with enableremote.
+
+This was fixed in version 6.20170818. Now there's a SshHost type that
+is not allowed to start with a dash, and every invocation of git-annex is
+in a function that takes a SshHost. 
+
+[[done]]
+
+--[[Joey]]
+