Re: Wheezy update of git?

[Raphael Hertzog <hertzog@debian.org>]

Hi,

On Tue, 21 Mar 2017, Raphael Hertzog wrote:
> I tried to checkout https://github.com/njhartwell/pw3nage while having
> bash-completion loaded and with a PS1 containing $(__git_ps1 2>/dev/null)
> or $(__git_ps1 " (%s)") and was unable to get any code execution.
> 
> I'm not sure when the vulnerability was introduced but it looks
> like that 1.7.10.4-1+wheezy3 is not affected at least when using bash.
> 
> Can someone else double check?

Salvatore suggested me that the vulnerability might have been introduced
by https://github.com/git/git/commit/1bfc51ac814125de03ddf1900245e42d6ce0d250

Looking a bit more closely, I would go even further and say that the
vulnerability is specific to that "pc_mode" meaning that it is only
exploitable when you set PROMPT_COMMAND='__git_ps1 "before" "after"'
and when PS1 is thus set dynamically by __git_ps1 itself.

By definition, PS1 is interpreted once when a prompt must be shown and the
inclusion of a string like "$(foo)" by way of the substitution
"${b##refs/heads/}" is the core of the problem. But this is not possible
if you set PS1 statically to "...$(__git_ps1)...".

So I will mark wheezy as unaffected.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/