ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Git, Mercurial, SVN, and CVS affected by severe vulnerability

(1/2) > >>

Deozaan:
Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an "ssh://" link.

Social engineering not necessary to exploit the flaw

Schneeweisz says that a URL in the form of "ssh://-oProxyCommand=some-command" allows an attacker to execute commands on the computer of the user performing the clone operation.

"While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a more sneaky way when it comes to Git submodules," Schneeweisz explains.

"It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger," the researcher added.-https://www.bleepingcomputer.com/news/security/source-code-management-tools-affected-by-severe-vulnerability/
--- End quote ---

Patches to fix the vulnerability should already have been released, so be sure to update your version control to protect yourself from this vulnerability.

Read more about it here: https://www.bleepingcomputer.com/news/security/source-code-management-tools-affected-by-severe-vulnerability/

Tuxman:
Or just use a sane VCS.

Deozaan:
Or just use a sane VCS.
-Tuxman (August 11, 2017, 12:46 PM)
--- End quote ---

Such as?

I thought you liked Mercurial.

Tuxman:
I admit it doesn't look too well for Mercurial. Hmm, Darcs?  :huh: (I still need an excuse to spend more time with it.)
But I also admit that - while ssh:// links were quite common when my go-to VCS was SVN - the number of times I had a ssh:// link in Hg was actually zero up to this day. Doesn't Git have git:// as well?

Deozaan:
I have pretty much always used https:// to clone (or otherwise interact with) repositories with Hg. But ssh does seem to be what the main online VCS services (Github, Bitbucket, etc.) try to push on you by default.

Navigation

[0] Message Index

[#] Next page

Go to full version