ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Git, Mercurial, SVN, and CVS affected by severe vulnerability

(1/2) > >>

Discovered by Joern Schneeweisz, a security researcher for Recurity Labs, the flaw relies on tricking users into cloning (copying) a source code project via an "ssh://" link.

Social engineering not necessary to exploit the flaw

Schneeweisz says that a URL in the form of "ssh://-oProxyCommand=some-command" allows an attacker to execute commands on the computer of the user performing the clone operation.

"While it might be tricky to convince a user to clone a repository with a rather shady looking ssh:// URL, this attack vector is exploitable in a more sneaky way when it comes to Git submodules," Schneeweisz explains.

"It is possible to create a Git repository that contains a crafted ssh:// submodule URL. When such a repository is cloned recursively, or the submodule is updated, the ssh:// payload will trigger," the researcher added.-
--- End quote ---

Patches to fix the vulnerability should already have been released, so be sure to update your version control to protect yourself from this vulnerability.

Read more about it here:

Or just use a sane VCS.

Or just use a sane VCS.
-Tuxman (August 11, 2017, 12:46 PM)
--- End quote ---

Such as?

I thought you liked Mercurial.

I admit it doesn't look too well for Mercurial. Hmm, Darcs?  :huh: (I still need an excuse to spend more time with it.)
But I also admit that - while ssh:// links were quite common when my go-to VCS was SVN - the number of times I had a ssh:// link in Hg was actually zero up to this day. Doesn't Git have git:// as well?

I have pretty much always used https:// to clone (or otherwise interact with) repositories with Hg. But ssh does seem to be what the main online VCS services (Github, Bitbucket, etc.) try to push on you by default.


[0] Message Index

[#] Next page

Go to full version