Git, Mercurial, SVN, and CVS affected by severe vulnerability

[Deozaan]

Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an "ssh://" link.

Social engineering not necessary to exploit the flaw

Schneeweisz says that a URL in the form of "ssh://-oProxyCommand=some-command" allows an attacker to execute commands on the computer of the user performing the clone operation.

"While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a more sneaky way when it comes to Git submodules," Schneeweisz explains.

"It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger," the researcher added.

-https://www.bleepingcomputer.com/news/security/source-code-management-tools-affected-by-severe-vulnerability/

Patches to fix the vulnerability should already have been released, so be sure to update your version control to protect yourself from this vulnerability.

Read more about it here: https://www.bleeping...evere-vulnerability/

[Tuxman]

Or just use a sane VCS.

[Deozaan]

Or just use a sane VCS.

-Tuxman (August 11, 2017, 12:46 PM)

Such as?

I thought you liked Mercurial.

[Tuxman]

I admit it doesn't look too well for Mercurial. Hmm, Darcs?  (I still need an excuse to spend more time with it.)
But I also admit that - while ssh:// links were quite common when my go-to VCS was SVN - the number of times I had a ssh:// link in Hg was actually zero up to this day. Doesn't Git have git:// as well?

[Deozaan]

I have pretty much always used https:// to clone (or otherwise interact with) repositories with Hg. But ssh does seem to be what the main online VCS services (Github, Bitbucket, etc.) try to push on you by default.

[Tuxman]

Hooray, assumptions!

[f0dder]

I much prefer ssh for transport protocol for my VCS, since it allows me to do public-key based authentication instead of HTTPS user/password wank. It's the sane default choice.