From: Jeff King <peff@peff.net>
To: 1234dev <1234dev@protonmail.com>
Cc: "git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: Can Git repos be hacked or otherwise manipulated?
Date: Tue, 14 Jan 2020 17:08:26 -0500 [thread overview]
Message-ID: <20200114220826.GB3957260@coredump.intra.peff.net> (raw)
In-Reply-To: <fOv65WlolaWZ638trkwZ6nnWIaRu14wx8bYkLdqzidlHPvhYpg1f6TSa_Z7w7iFEsXSLkMzQ6EYTwo3ggF3oXrDh5U4LM_i2Rzx0BkMh7zI=@protonmail.com>
On Tue, Jan 14, 2020 at 02:48:05PM +0000, 1234dev wrote:
> Let's say you're working with a team of elite hackers, passing a
> tarball of a Git repo back and forth as you complete your mission. Now
> let's say one of them has malicious intent. What are the possibilities
> that he or she can, for instance, hide changes made to a script or
> binary that does something malicious if executed? Or perhaps maybe
> there are other such scenarios one should be made aware of?
It is absolutely not safe to run Git commands from a tarball of an
untrusted repo. There are many ways to execute arbitrary code specified
by a config option, and you'd be getting recipients .git/config.
Likewise for hooks.
And while we would consider it a bug if you can trigger a memory error
by reading a corrupted or malicious on-disk file, that's gotten _way_
less auditing than the code paths which take in objects from a remote.
So e.g., I would not be surprised if there are vulnerabilities that
could cause out-of-bounds reads of a corrupted .git/index.
-Peff
next prev parent reply other threads:[~2020-01-14 22:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-14 14:48 Can Git repos be hacked or otherwise manipulated? 1234dev
2020-01-14 22:08 ` Jeff King [this message]
2020-01-15 3:18 ` 1234dev
2020-01-15 3:43 ` Jonathan Nieder
2020-01-15 18:01 ` Jeff King
2020-01-16 20:15 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200114220826.GB3957260@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=1234dev@protonmail.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).