Re: Wheezy update of git?
- To: Chris Lamb <lamby@debian.org>, Anders Kaseorg <andersk@mit.edu>, Gerrit Pape <pape@smarden.org>, Jonathan Nieder <jrnieder@gmail.com>, debian-lts@lists.debian.org
- Subject: Re: Wheezy update of git?
- From: Raphael Hertzog <hertzog@debian.org>
- Date: Thu, 23 Mar 2017 11:40:08 +0100
- Message-id: <[🔎] 20170323104008.aqux4phflrvdscwy@home.ouaza.com>
- Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, Chris Lamb <lamby@debian.org>, Anders Kaseorg <andersk@mit.edu>, Gerrit Pape <pape@smarden.org>, Jonathan Nieder <jrnieder@gmail.com>, debian-lts@lists.debian.org
- In-reply-to: <[🔎] 20170321123759.euwl3bosf7uyr6og@home.ouaza.com>
- References: <[🔎] 1490001649.2638181.916855392.4F6C1E34@webmail.messagingengine.com> <[🔎] 20170321123759.euwl3bosf7uyr6og@home.ouaza.com>
Hi,
On Tue, 21 Mar 2017, Raphael Hertzog wrote:
> I tried to checkout https://github.com/njhartwell/pw3nage while having
> bash-completion loaded and with a PS1 containing $(__git_ps1 2>/dev/null)
> or $(__git_ps1 " (%s)") and was unable to get any code execution.
>
> I'm not sure when the vulnerability was introduced but it looks
> like that 1.7.10.4-1+wheezy3 is not affected at least when using bash.
>
> Can someone else double check?
Salvatore suggested me that the vulnerability might have been introduced
by https://github.com/git/git/commit/1bfc51ac814125de03ddf1900245e42d6ce0d250
Looking a bit more closely, I would go even further and say that the
vulnerability is specific to that "pc_mode" meaning that it is only
exploitable when you set PROMPT_COMMAND='__git_ps1 "before" "after"'
and when PS1 is thus set dynamically by __git_ps1 itself.
By definition, PS1 is interpreted once when a prompt must be shown and the
inclusion of a string like "$(foo)" by way of the substitution
"${b##refs/heads/}" is the core of the problem. But this is not possible
if you set PS1 statically to "...$(__git_ps1)...".
So I will mark wheezy as unaffected.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: