Your message dated Sun, 29 Mar 2015 15:47:10 +0000 with message-id <e1ycfqc-0002ox...@franck.debian.org> and subject line Bug#780989: fixed in dulwich 0.8.5-2+deb7u2 has caused the Debian Bug report #780989, regarding python-dulwich: CVE-2014-9706: arbitrary command execution vulnerability in conjunction with git to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 780989: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780989 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: python-dulwich Version: 0.8.5-2 Severity: normal Control: tag -1 + security fixed-upstream This is like CVE-2014-9390, except without the part where it makes any attempt to avoid paths involving ".git/". So if someone uses dulwich to checkout a tree and then does something there with git proper, we get all the problems of CVE-2014-9390, but without any need for a case-insensitive filesystem: this would be directly exploitable on a standard Debian system, assuming you had some program that actually used dulwich to checkout a tree onto the filesystem. I believe this is what the security team calls "local (remote)". I found the problem described in <https://lists.launchpad.net/dulwich-users/msg00827.html>: ,----[ Re: Git vulnerability CVE-2014-9390 ] | To: Andi McClure <andi.m.mcclure@xxxxxxxxx> | From: Gary van der Merwe <garyvdm@xxxxxxxxx> | Date: Fri, 19 Dec 2014 00:57:33 +0200 | Cc: dulwich-users <dulwich-users@xxxxxxxxxxxxxxxxxxx> | In-reply-to: <CAJDLOYLGjkZrFVTYtd=zkaipnzgbs28kktnxwoxyunoz5md...@mail.gmail.com> | | On Thu, Dec 18, 2014 at 11:45 PM, Andi McClure <andi.m.mcclure@xxxxxxxxx> wrote: | > | > News is going around today about a potential-remote-code-execution vulnerability in the standard git clients: | > | > https://github.com/blog/1938-git-client-vulnerability-announced | > | > Is Dulwich potentially affected? | | Yes. And not only on case insensitive file systems, like with git, but | always :-( | | I've attached a file to demonstrate it. It creates a repo with a | commit of a .git/hooks/pre-commit file. Git prevents writing this file | to the working tree, but dulwich happily writes it out. | | /tmp % ./cve-2014-9390-create.py | /tmp % cd cve-2014-9390-repo.git | /tmp/cve-2014-9390-repo.git (git)-[master] % git reset --hard | error: Invalid path '.git/hooks/pre-commit' | HEAD is now at 1c27312 Evil commit | /tmp/cve-2014-9390-repo.git (git)-[master] % dulwich reset --hard | /tmp/cve-2014-9390-repo.git (git)-[master] % git commit -m "test" --allow-empty | You just got cracked! (not really but you could have been!) | [master 29a7100] test | | For my own use cases of dulwich, I'm not affected by this as I only | ever read and write directly to repos with dulwich with out checking | out trees to a working tree. Do other users actually use the dulwich | index module, or porcilian commands. | | How do we fix this? I assume we start by filtering what we write in | dulwich.index.build_index_from_tree? Filtering the case sensitive and | case insensitive cases is easy, but some of the other edge cases | ("git~1" on windows, ".g\u200cit" on HFS+) are a little more tricky. | Do we care about preventing a user from adding these paths to the | index? | | | Gary ... [ Demo scrubbed ] ... `---- And the CVE was assigned at <http://seclists.org/oss-sec/2015/q1/939>: ,---- | > Does the scope of CVE-2014-9390 also include these bits | > from the above: | | > dulwich happily clones a repository which contains commit with invalid | > paths, say .git/hooks/pre-commit, and thus allowing execution of code | > on subsequent commits. | | No, the scope of CVE-2014-9390 does not include that. Use | CVE-2014-9706 for this vulnerability in dulwich. | | The scope of CVE-2014-9390 is currently undefined, in part because | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 | intentionally doesn't have any related information. Usage of | CVE-2014-9390 is, very roughly, concerned with "The string .git/ for a | directory name has always been considered Very Special. Therefore, | other strings with equivalence relationships to .git/ must also be | considered Very Special." | | The root cause of the problem in dulwich seems to be "The string .git/ | for a directory name was not considered Very Special." This is | completely distinct conceptually, and is a much simpler case for CVE | coverage. | | There are two types of concerns with CVE-2014-9390. First, | CVE-2014-9390 can only apply to omitted equivalence-relationship | handling in source code that is, or is directly copied from, "Git | before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before | 2.1.4, and 2.2.x before 2.2.1" source code. It is not possible to have | a CVE for a cross-implementation vulnerability class of this | equivalence-relationship handling. Second, usage of CVE-2014-9390 | seems to span multiple types of problems, possibly including all of: | | http://cwe.mitre.org/data/definitions/178.html | http://cwe.mitre.org/data/definitions/180.html | http://cwe.mitre.org/data/definitions/182.html `---- This is fixed upstream in <https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176>, slated for inclusion in dulwich 0.9.9, though after that CVE-2014-9390 actually applies (to the extent that it's a meaningful vulnerability identifier). -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages python-dulwich depends on: ii libc6 2.13-38+deb7u8 ii python 2.7.3-4+deb7u1 ii python2.6 2.6.8-1.1 ii python2.7 2.7.3-6+deb7u2 Versions of packages python-dulwich recommends: ii python-fastimport 0.9.2-1 Versions of packages python-dulwich suggests: pn python-dulwich-dbg <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: dulwich Source-Version: 0.8.5-2+deb7u2 We believe that the bug you reported is fixed in the latest version of dulwich, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 780...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated dulwich package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 27 Mar 2015 13:18:17 +0100 Source: dulwich Binary: python-dulwich python-dulwich-dbg Architecture: source amd64 Version: 0.8.5-2+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Jelmer Vernooij <jel...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Description: python-dulwich - Python Git library python-dulwich-dbg - Python Git library - Debug Extension Closes: 780989 Changes: dulwich (0.8.5-2+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Security Team. * Add 03_CVE-2014-9706 patch. CVE-2014-9706: Don't allow writing to files under .git/ when checking out working trees. (Closes: #780989) Checksums-Sha1: 4bc0f7ba75029a7fe240e142c94c30b6aa972ce0 1993 dulwich_0.8.5-2+deb7u2.dsc 6517746d273df7015c2a36791b8c06937e38c649 6447 dulwich_0.8.5-2+deb7u2.debian.tar.gz 59fe584fc5e9ec2cefa2d0a622be916504cfe0db 193408 python-dulwich_0.8.5-2+deb7u2_amd64.deb 9890ab04502db6c9a9776b150967e4c34f2acd9a 107546 python-dulwich-dbg_0.8.5-2+deb7u2_amd64.deb Checksums-Sha256: fdecc9bbb327615594f2850a0ebd09c25a2238c51fcac1d4eff47e52e628945c 1993 dulwich_0.8.5-2+deb7u2.dsc a438a3d06f90698dba5737b8589652ada3723065aafbf0b55132ac3015a939f3 6447 dulwich_0.8.5-2+deb7u2.debian.tar.gz feb4b1c846e34bd754c3d1ba6d2859647b45e224364333217698a2c53bce2ee4 193408 python-dulwich_0.8.5-2+deb7u2_amd64.deb 983494cb26d73bb806e058fe55e22420a7872928d02aa2fc41f4b896ad240e11 107546 python-dulwich-dbg_0.8.5-2+deb7u2_amd64.deb Files: f961fea575c4d7d1225bfa1ce133c0ed 1993 python optional dulwich_0.8.5-2+deb7u2.dsc 920fc0d103d20f3f96232fa859603fb7 6447 python optional dulwich_0.8.5-2+deb7u2.debian.tar.gz 317e8c63f635c607ee8243ea6ed25630 193408 python optional python-dulwich_0.8.5-2+deb7u2_amd64.deb e49247ae3a72bcbea4eb262e2f3fa5c2 107546 debug extra python-dulwich-dbg_0.8.5-2+deb7u2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVFUt0AAoJEAVMuPMTQ89EZuwQAIZ2ORbeJKpQCiE6LOsRZG9V AZWIvjpWLzU0QGKUSh4sDHgyPA9n64DBXHJB1eKiVLHchnzbqctvu+RBiNywY6i1 ObPWTVFkJidg/JZStsQYqMcg+J+2Ra8h6adu6KLx2+DC9oWcyhmYFkaVBTGQx2ux Vn72+NJRlFBr3KRKkLl1lHtrtjf6X9EhLYq+DMd2yRGGwFasojBF7pbh21xQcTss 3Kpf3QHlOYy1hv38KmERCEJNXhh5h5j0njC8bRQWPE9wdZSMcr2Mj5tiUjvqfM9f hP/m+xZsWlB11aYjFZ4Yj5c7YgGn2uW6CsKsiXtqMx6bcRGhcaPzlvkDBwhgTfV7 SttezujOvdm9DpdDbpzRLzoRotP4AFF3mNJMzEWHhHVKEOvniTi4r124mVn9hTQG yTv8R4R0sJDFh0VAAMSjzFOA6cKW5I8nLPluQm8JsL3lpOarXRE0Cv9mW2nWdW7B nCC+k18KUtUkER36tDeF7y01gebf3Wbbqcv4U8t3IUV1E6vomy6g4huqU6Y5qeHO jxx2rmCglJgn9zsSfv/cG2qLLrgy8/r25OMnQp8nTMjfiMyki69Pni+ZmX0uu8xU uA3NEkOsYOcCXd/8b6tAWx0bynfPKh0PInENDKgkHWzoJnxCdbJL2dJL5Kuyc497 SSPO/y4gcM7OHNgsNohO =WGJh -----END PGP SIGNATURE-----
--- End Message ---
