Add advisories for git-fastclone #232
Conversation
gems/git-fastclone/OSVDB-1.yml
Outdated
There was a problem hiding this comment.
need a better description
There was a problem hiding this comment.
I looked at the GitHub Fix Commit and came up with this description https://srcclr.com/security/command-injection/ruby/s-1922
|
@bburky / @longboardcat / @alokmenghrajani -- a few questions Has a CVE/OSVDB ID been requested for square/git-fastclone#5 yet? Are the reports submitted to HackerOne going to be publicly disclosed? Would be useful for referencing. I haven't seen any advisories about these issues. Just making sure I'm not missing something. |
|
The other issue disclosed on hackerone was fixed in square/git-fastclone#2 and square/git-fastclone#3. It was an independent issue, but the same problem that was fixed in git core in CVE-2015-7545. @longboardcat, @alokmenghrajani I'd be fine with making the HackerOne issues public now that they have been resolved. |
|
To my knowledge a CVE has not been requested for either of these issues fixed in git-fastclone. |
|
That's okay with me. What do I need to do? James
|
|
@longboardcat -- referring to HackerOne or requesting CVE/OSVDB? For the former, in the report, select "Publicly disclose" or "Request public disclosure" or whatever the right option is from the drop-down box near the comment box. @bburky will need to do the same on his end so the reports are disclosed. For the latter, follow the directions outlined at http://guides.rubygems.org/security/#reporting-security-vulnerabilities -- specifically, I would e-mail oss-security@ and cve-assign@ with the information, requesting a CVE. I would then forward that request to OSVDB to get an assignment there as well. I'm happy to help you with this if you would like. |
reedloden
force-pushed
the
git-fastclone
branch
from
dd53a9d to
48f459c
Compare
|
I submitted http://seclists.org/oss-sec/2016/q1/166 for getting CVEs assigned. Also notified OSVDB. |
|
Thanks! Haven't gotten around to any of this :( James On Wed, Jan 20, 2016 at 11:37 AM, Reed Loden [email protected]
|
reedloden
force-pushed
the
git-fastclone
branch
from
48f459c to
13b59d4
Compare
|
Hmmm, the only thing I can see if that git-fastclone hasn't actually pushed any packages to RubyGems since September 2015, where as both of these pulls were merged Dec 2015. |
|
@VanessaHenderson great catch. I made sure the version was uploaded, but I didn't notice the date. My bad. @longboardcat what's up with the rubygems mess? Can it be cleaned up to match reality? |
|
The latest version should be correct, there were some mistakes earlier that James On Sat, Jan 23, 2016 at 12:46 PM, Reed Loden [email protected]
|
|
@longboardcat what about the fix for the OSVDB-133535 the pull indicated adds a log message and an if statement to the code https://github.com/square/git-fastclone/blob/14198fe12443055839b1ba4cc294b04a38ae15f1/lib/git-fastclone.rb#L250 which is not present anymore in master https://github.com/square/git-fastclone/blob/master/lib/git-fastclone.rb#L296 Looking at the code it seems the implementation has changed (where my confusion was caused) square/git-fastclone@93a4634#diff-366e68110b1de1ebeb9dc33605fd697fL249 so perhaps this should be the fix commit listed instead of the PR since those changes were quickly overwritten. Same with the other OSVDB link and square/git-fastclone@ac3dd98 I feel like these commits should be link because if people are using these commits for patches, they are going to use the not-current fixes for the patches, if that makes sense Also 1.0.5 is currently yanked from RubyGems so do we want to list that as the "patched from" version if its not actually present currently? Or are there plans to re-push this package in the near future |
|
Yes, square/git-fastclone@93a4634 replaces square/git-fastclone@14198fe with a better fix using the GIT_ALLOW_PROTOCOL environment variable newly introduced into git itself. If you can link to both square/git-fastclone#2 and square/git-fastclone#3 that would be best. @longboardcat Can we make https://hackerone.com/reports/104465 and https://hackerone.com/reports/105190 public please? Without the POCs it isn't terribly obvious that both of these vulnerabilities are remotely exploitable with an attacker controlled git repo or git server. |
|
I can't even see them for some reason. I'll ask ping the Square employee James On Sun, Jan 24, 2016 at 5:07 PM, Blake Burkhart [email protected]
|
|
@aviat what's the issue? The vulnerabilities were reported to Square via https://hackerone.com/square-open-source, of which the |
|
The reports should be public now. James On Sun, Jan 24, 2016 at 9:53 PM, Reed Loden [email protected]
|
|
I can confirm they are public 👍 |
|
Sorry for the ridiculous delay on these. HackerOne has assigned CVEs for the two issues here: I'll update the advisories and get this pushed. |
|
@reedloden it looks like the reports are up: https://hackerone.com/reports/104465 and https://hackerone.com/reports/105190 Do you mind updating the advisories with the CVE's and links to the reports? sigh I wish github made it easier for me to just push to your PR :( |
|
Moved to #277 |
5 participants
WIP -- missing OSVDB/CVE entry for one advisory