Your message dated Thu, 26 Mar 2015 12:18:45 +0000 with message-id <e1yb6kh-00066g...@franck.debian.org> and subject line Bug#780989: fixed in dulwich 0.10.1-1 has caused the Debian Bug report #780989, regarding python-dulwich: CVE-2014-9706: arbitrary command execution vulnerability in conjunction with git to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 780989: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780989 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-dulwich Version: 0.8.5-2 Severity: normal Control: tag -1 + security fixed-upstream This is like CVE-2014-9390, except without the part where it makes any attempt to avoid paths involving ".git/". So if someone uses dulwich to checkout a tree and then does something there with git proper, we get all the problems of CVE-2014-9390, but without any need for a case-insensitive filesystem: this would be directly exploitable on a standard Debian system, assuming you had some program that actually used dulwich to checkout a tree onto the filesystem. I believe this is what the security team calls "local (remote)". I found the problem described in <https://lists.launchpad.net/dulwich-users/msg00827.html>: ,----[ Re: Git vulnerability CVE-2014-9390 ] | To: Andi McClure <andi.m.mcclure@xxxxxxxxx> | From: Gary van der Merwe <garyvdm@xxxxxxxxx> | Date: Fri, 19 Dec 2014 00:57:33 +0200 | Cc: dulwich-users <dulwich-users@xxxxxxxxxxxxxxxxxxx> | In-reply-to: <CAJDLOYLGjkZrFVTYtd=zkaipnzgbs28kktnxwoxyunoz5md...@mail.gmail.com> | | On Thu, Dec 18, 2014 at 11:45 PM, Andi McClure <andi.m.mcclure@xxxxxxxxx> wrote: | > | > News is going around today about a potential-remote-code-execution vulnerability in the standard git clients: | > | > https://github.com/blog/1938-git-client-vulnerability-announced | > | > Is Dulwich potentially affected? | | Yes. And not only on case insensitive file systems, like with git, but | always :-( | | I've attached a file to demonstrate it. It creates a repo with a | commit of a .git/hooks/pre-commit file. Git prevents writing this file | to the working tree, but dulwich happily writes it out. | | /tmp % ./cve-2014-9390-create.py | /tmp % cd cve-2014-9390-repo.git | /tmp/cve-2014-9390-repo.git (git)-[master] % git reset --hard | error: Invalid path '.git/hooks/pre-commit' | HEAD is now at 1c27312 Evil commit | /tmp/cve-2014-9390-repo.git (git)-[master] % dulwich reset --hard | /tmp/cve-2014-9390-repo.git (git)-[master] % git commit -m "test" --allow-empty | You just got cracked! (not really but you could have been!) | [master 29a7100] test | | For my own use cases of dulwich, I'm not affected by this as I only | ever read and write directly to repos with dulwich with out checking | out trees to a working tree. Do other users actually use the dulwich | index module, or porcilian commands. | | How do we fix this? I assume we start by filtering what we write in | dulwich.index.build_index_from_tree? Filtering the case sensitive and | case insensitive cases is easy, but some of the other edge cases | ("git~1" on windows, ".g\u200cit" on HFS+) are a little more tricky. | Do we care about preventing a user from adding these paths to the | index? | | | Gary ... [ Demo scrubbed ] ... `---- And the CVE was assigned at <http://seclists.org/oss-sec/2015/q1/939>: ,---- | > Does the scope of CVE-2014-9390 also include these bits | > from the above: | | > dulwich happily clones a repository which contains commit with invalid | > paths, say .git/hooks/pre-commit, and thus allowing execution of code | > on subsequent commits. | | No, the scope of CVE-2014-9390 does not include that. Use | CVE-2014-9706 for this vulnerability in dulwich. | | The scope of CVE-2014-9390 is currently undefined, in part because | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 | intentionally doesn't have any related information. Usage of | CVE-2014-9390 is, very roughly, concerned with "The string .git/ for a | directory name has always been considered Very Special. Therefore, | other strings with equivalence relationships to .git/ must also be | considered Very Special." | | The root cause of the problem in dulwich seems to be "The string .git/ | for a directory name was not considered Very Special." This is | completely distinct conceptually, and is a much simpler case for CVE | coverage. | | There are two types of concerns with CVE-2014-9390. First, | CVE-2014-9390 can only apply to omitted equivalence-relationship | handling in source code that is, or is directly copied from, "Git | before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before | 2.1.4, and 2.2.x before 2.2.1" source code. It is not possible to have | a CVE for a cross-implementation vulnerability class of this | equivalence-relationship handling. Second, usage of CVE-2014-9390 | seems to span multiple types of problems, possibly including all of: | | http://cwe.mitre.org/data/definitions/178.html | http://cwe.mitre.org/data/definitions/180.html | http://cwe.mitre.org/data/definitions/182.html `---- This is fixed upstream in <https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176>, slated for inclusion in dulwich 0.9.9, though after that CVE-2014-9390 actually applies (to the extent that it's a meaningful vulnerability identifier). -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages python-dulwich depends on: ii libc6 2.13-38+deb7u8 ii python 2.7.3-4+deb7u1 ii python2.6 2.6.8-1.1 ii python2.7 2.7.3-6+deb7u2 Versions of packages python-dulwich recommends: ii python-fastimport 0.9.2-1 Versions of packages python-dulwich suggests: pn python-dulwich-dbg <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: dulwich Source-Version: 0.10.1-1 We believe that the bug you reported is fixed in the latest version of dulwich, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 780...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jelmer Vernooij <jel...@debian.org> (supplier of updated dulwich package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 07 Feb 2015 17:44:28 +0100 Source: dulwich Binary: python-dulwich python-dulwich-dbg pypy-dulwich Architecture: source amd64 Version: 0.10.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Modules Team <python-modules-t...@lists.alioth.debian.org> Changed-By: Jelmer Vernooij <jel...@debian.org> Description: pypy-dulwich - Python Git library - pypy module python-dulwich - Python Git library python-dulwich-dbg - Python Git library - Debug Extension Closes: 780958 780989 Changes: dulwich (0.10.1-1) unstable; urgency=medium . * New upstream release. + Drop 02_unpure_pypy: applied upstream. + Fixes CVE-2015-0838: buffer overflow in C implementation of pack apply_delta(). Closes: #780958 + Fixes CVE-2014-9706: does not prevent to write files in commits with invalid paths to working tree. Closes: #780989 * Update Vcs-Git, Vcs-Browser and Maintainer fields to reflect the dulwich package is now maintained by the Debian Python Modules packaging team. Checksums-Sha1: 885177c9911817599c188571eb439de950b1ead8 2275 dulwich_0.10.1-1.dsc 57f1f457be3065bac6706db2aa76d59b078597f9 272688 dulwich_0.10.1.orig.tar.gz 88be5619497a18ba0a12b05f883bb3b1bdf61fd4 405512 dulwich_0.10.1-1.debian.tar.xz 987d8142483ab0b4dcbd3a9f573d75889fbcacbd 202868 python-dulwich_0.10.1-1_amd64.deb eede404400cef3427bfbd1650d9f1a32860ad555 96880 python-dulwich-dbg_0.10.1-1_amd64.deb 8cd1adb8c28071cd2f22059f71b2b1530a281c18 203256 pypy-dulwich_0.10.1-1_amd64.deb Checksums-Sha256: 0f8d7ab6b9263103ee95c3088fa8cf65eb79abd0ff377ae572e96c43dad3ac01 2275 dulwich_0.10.1-1.dsc 666600ab5eb0b6d531879ee0f65dfefd71bce2e21ab3910c28f7789e15b6330b 272688 dulwich_0.10.1.orig.tar.gz 9c27f5ec25f0aea96f4ead69e7ba6673173132032d029f918011b2242047cfa6 405512 dulwich_0.10.1-1.debian.tar.xz 4854789a05f856cfa94e7b1fd4e4a475a9fd37bef62d9076984838274b4fe426 202868 python-dulwich_0.10.1-1_amd64.deb eeb366cf32176d7e6651bb2f25ea527acd03b98e2911879a85dbab423a9919fc 96880 python-dulwich-dbg_0.10.1-1_amd64.deb ab84e3bd24130348fe66813c962fe2ebc9c9dfd9f0ee28a9dd48024329b861c8 203256 pypy-dulwich_0.10.1-1_amd64.deb Files: 0c71f3af5046ff48c763a6ecb00a83ba 2275 python optional dulwich_0.10.1-1.dsc 93a5facd51f3d7de7224a1a832f3a3a3 272688 python optional dulwich_0.10.1.orig.tar.gz 83538a637bf721f69f9bb9bab7186acf 405512 python optional dulwich_0.10.1-1.debian.tar.xz 6fd5e579f38cde2b9c1914fb7e6812ac 202868 python optional python-dulwich_0.10.1-1_amd64.deb 86804020f33e559e53cd48fad1e0ebfe 96880 debug extra python-dulwich-dbg_0.10.1-1_amd64.deb c2d6861cbe45153e8c81cde1d52c5d6e 203256 python optional pypy-dulwich_0.10.1-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVE+kIAAoJEACAbyvXKaRXzkcP/ApqyyPoz57LUz3ZySsbNOii JpcEn/I+4y/x+n2d+0Uz4/0BBpbvsnV/WyTpZPhJv59qLJ1tJDNBuZB13sL8DXdK iPfwyH5qQi6rRkztwd2CCUxbe7czDiKuYw724jkFG1XDICtvPsP6IG8Xn3pv1URc zNFR1alGp/SFiAKjLI61mmmBf766dAvLDqQmYG30vsWnhwueUdSIFXSA87jdoCu2 fO8ZgMasA8B69szJ8CFCPuFAUnXILipppg5g/8Y15iRwx3r0mvYWJclGv/Qi7tNP kpZTrgIE7hCuZ1jagA0JgS5+Z1+Bc2wjBmOTAeZRzDRKxqTN/6pymGuEOdyTo5Gv kgtx1R1hu6KH7nJFzgNJBgZ+5M0WJQa/RoizE1IGdDlnyIkPKajvY9WLIb5q/Q4T Cjm0CwmERXjeY8QYZ4ELdL6KnmXt2GlOlkce6m8c9P6xAkg7o0c9OmrTxV2OKVTy opxshJxVVxhYMMetPYbMLlObyWQvPwq5wQFuyLCqwjZbnlMVIZQhQebqhPyAYP+Z 7qwzQchSgTWub0OnUue0V4oCGOihtqqr4qKqXBokX7i955zLSgx9vVOJeq/PFLG6 Dh/N88FInvw7NiNE9xZmwswkebas6hetriUgNIt8mRZsqBo74ea8TT9JNM9RVnU0 18S5e25KJ2k8x74jpsAc =Kt1n -----END PGP SIGNATURE-----
--- End Message ---
