Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • October 20, 2017, 10:01 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Git, Mercurial, SVN, and CVS affected by severe vulnerability  (Read 578 times)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,086
    • View Profile
    • Donate to Member
Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an "ssh://" link.

Social engineering not necessary to exploit the flaw

Schneeweisz says that a URL in the form of "ssh://-oProxyCommand=some-command" allows an attacker to execute commands on the computer of the user performing the clone operation.

"While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a more sneaky way when it comes to Git submodules," Schneeweisz explains.

"It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger," the researcher added.

Patches to fix the vulnerability should already have been released, so be sure to update your version control to protect yourself from this vulnerability.

Read more about it here: https://www.bleeping...evere-vulnerability/

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,899
    • View Profile
    • Donate to Member
Re: Git, Mercurial, SVN, and CVS affected by severe vulnerability
« Reply #1 on: August 11, 2017, 12:46 PM »
Or just use a sane VCS.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,086
    • View Profile
    • Donate to Member
Re: Git, Mercurial, SVN, and CVS affected by severe vulnerability
« Reply #2 on: August 11, 2017, 07:22 PM »
Or just use a sane VCS.

Such as?

I thought you liked Mercurial.

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,899
    • View Profile
    • Donate to Member
Re: Git, Mercurial, SVN, and CVS affected by severe vulnerability
« Reply #3 on: August 11, 2017, 07:27 PM »
I admit it doesn't look too well for Mercurial. Hmm, Darcs?  :huh: (I still need an excuse to spend more time with it.)
But I also admit that - while ssh:// links were quite common when my go-to VCS was SVN - the number of times I had a ssh:// link in Hg was actually zero up to this day. Doesn't Git have git:// as well?

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,086
    • View Profile
    • Donate to Member
Re: Git, Mercurial, SVN, and CVS affected by severe vulnerability
« Reply #4 on: August 11, 2017, 07:34 PM »
I have pretty much always used https:// to clone (or otherwise interact with) repositories with Hg. But ssh does seem to be what the main online VCS services (Github, Bitbucket, etc.) try to push on you by default.

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,899
    • View Profile
    • Donate to Member
Re: Git, Mercurial, SVN, and CVS affected by severe vulnerability
« Reply #5 on: August 11, 2017, 07:38 PM »
Hooray, assumptions!

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,100
    • View Profile
    • Donate to Member
Re: Git, Mercurial, SVN, and CVS affected by severe vulnerability
« Reply #6 on: August 12, 2017, 03:31 PM »
I much prefer ssh for transport protocol for my VCS, since it allows me to do public-key based authentication instead of HTTPS user/password wank. It's the sane default choice.