27 lines
1.1 KiB
Markdown
27 lines
1.1 KiB
Markdown
git-annex was vulnerable to the same class of security hole as
|
|
git's CVE-2017-1000117. In several cases, git-annex parses a repository
|
|
url, and uses it to generate a ssh command, with the hostname to ssh to
|
|
coming from the url. If the hostname it parses is something like
|
|
"-oProxyCommand=evil", this could result in arbitrary local code execution
|
|
via ssh.
|
|
|
|
I have not bothered to try to exploit the problem, and some details of URL
|
|
parsing may prevent the exploit working in some cases.
|
|
|
|
Exploiting this would involve the attacker tricking the victim into adding
|
|
a remote something like "ssh://-oProxyCommand=evil/blah".
|
|
|
|
One possible avenue for an attacker that avoids exposing the URL to the
|
|
user is to use initremote with a ssh remote, so embedding the URL in the
|
|
git-annex branch. Then the victim would enable it with enableremote.
|
|
|
|
This was fixed in version 6.20170818. Now there's a SshHost type that
|
|
is not allowed to start with a dash, and every invocation of ssh is
|
|
in a function that takes a SshHost.
|
|
|
|
CVE-2017-12976 has been assigned for this issue.
|
|
|
|
[[done]]
|
|
|
|
--[[Joey]]
|
|
|