* Media query - Git flaw
@ 2020-04-15 10:46 Adam Bannister
2020-04-15 15:19 ` Junio C Hamano
0 siblings, 1 reply; 4+ messages in thread
From: Adam Bannister @ 2020-04-15 10:46 UTC (permalink / raw)
To: git
Hi there,
I’m writing a story for web security publication The Daily Swig on the
research that uncovered a bug in Git:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2021
I was wondering if someone who works on Git might have time to spare
to answer a question or two briefly?
If so, this is what I was thinking…
How did the disclosure and patching process go?
What is your advice to Git users?
Thanks for your time...
Regards,
--
Adam Bannister
The Daily Swig
https://portswigger.net/daily-swig
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Media query - Git flaw
2020-04-15 10:46 Media query - Git flaw Adam Bannister
@ 2020-04-15 15:19 ` Junio C Hamano
2020-04-15 15:47 ` Jeff King
0 siblings, 1 reply; 4+ messages in thread
From: Junio C Hamano @ 2020-04-15 15:19 UTC (permalink / raw)
To: Adam Bannister; +Cc: git
Adam Bannister <adam.bannister@portswigger.net> writes:
> How did the disclosure and patching process go?
I guess "Just like any other project" would be enough for you to
understand, given what you write and where ;-)
A security researcher discloses a possible vulnerability to the
git-security mailing list, which is a closed list. On the list,
there are developers with relatively high familiarity with the
entire codebase, and there are those who are responsible for
managing binary packaging of the software to various distributions.
We prepare the fix. We review the fix. We repeat until we agree
that the proposed fix is what we want to deliver.
We arrange the coordinated disclosure and release among distro
people and other stakeholders.
All of the above have to be done behind public.
Then we go public at the same time. It happened at 1100 US/Pacific
on Apr 14th, 2020. For this one, as the fix itself was relatively
straight-forward, the time it took between the initial contact and
the release was spent mostly to wait for the slowest partcipant in
the coordinated disclosure process (obviously I won't name names).
> What is your advice to Git users?
Release is announced and users are urged to upgrade, like you wrote
on your article at The Daily Swig.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Media query - Git flaw
2020-04-15 15:19 ` Junio C Hamano
@ 2020-04-15 15:47 ` Jeff King
2020-04-21 8:46 ` Adam Bannister
0 siblings, 1 reply; 4+ messages in thread
From: Jeff King @ 2020-04-15 15:47 UTC (permalink / raw)
To: Adam Bannister; +Cc: Junio C Hamano, git
On Wed, Apr 15, 2020 at 08:19:18AM -0700, Junio C Hamano wrote:
> > What is your advice to Git users?
>
> Release is announced and users are urged to upgrade, like you wrote
> on your article at The Daily Swig.
There's a little more detail and some workarounds discussed in the
advisory at:
https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
-Peff
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Media query - Git flaw
2020-04-15 15:47 ` Jeff King
@ 2020-04-21 8:46 ` Adam Bannister
0 siblings, 0 replies; 4+ messages in thread
From: Adam Bannister @ 2020-04-21 8:46 UTC (permalink / raw)
To: Jeff King; +Cc: Junio C Hamano, git
Forgot to say thanks for all your help and share the link!
https://portswigger.net/daily-swig/git-security-newline-injection-bug-tricked-version-control-system-into-leaking-usernames-and-password
Much appreciated...
On Wed, 15 Apr 2020 at 16:47, Jeff King <peff@peff.net> wrote:
>
> On Wed, Apr 15, 2020 at 08:19:18AM -0700, Junio C Hamano wrote:
>
> > > What is your advice to Git users?
> >
> > Release is announced and users are urged to upgrade, like you wrote
> > on your article at The Daily Swig.
>
> There's a little more detail and some workarounds discussed in the
> advisory at:
>
> https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
>
> -Peff
--
Adam Bannister
The Daily Swig
https://portswigger.net/daily-swig
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-04-21 8:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-15 10:46 Media query - Git flaw Adam Bannister
2020-04-15 15:19 ` Junio C Hamano
2020-04-15 15:47 ` Jeff King
2020-04-21 8:46 ` Adam Bannister
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).