Hi, On Tue, 21 Mar 2017, Raphael Hertzog wrote: > I tried to checkout https://github.com/njhartwell/pw3nage while having > bash-completion loaded and with a PS1 containing $(__git_ps1 2>/dev/null) > or $(__git_ps1 " (%s)") and was unable to get any code execution. > > I'm not sure when the vulnerability was introduced but it looks > like that 1.7.10.4-1+wheezy3 is not affected at least when using bash. > > Can someone else double check?
Salvatore suggested me that the vulnerability might have been introduced by https://github.com/git/git/commit/1bfc51ac814125de03ddf1900245e42d6ce0d250 Looking a bit more closely, I would go even further and say that the vulnerability is specific to that "pc_mode" meaning that it is only exploitable when you set PROMPT_COMMAND='__git_ps1 "before" "after"' and when PS1 is thus set dynamically by __git_ps1 itself. By definition, PS1 is interpreted once when a prompt must be shown and the inclusion of a string like "$(foo)" by way of the substitution "${b##refs/heads/}" is the core of the problem. But this is not possible if you set PS1 statically to "...$(__git_ps1)...". So I will mark wheezy as unaffected. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
