Media query - Git flaw

Media query - Git flaw

[Adam Bannister]

Hi there,

I’m writing a story for web security publication The Daily Swig on the
research that uncovered a bug in Git:

https://bugs.chromium.org/p/project-zero/issues/detail?id=2021


I was wondering if someone who works on Git might have time to spare
to answer a question or two briefly?

If so, this is what I was thinking…

How did the disclosure and patching process go?


What is your advice to Git users?

Thanks for your time...

Regards,


--

Adam Bannister
The Daily Swig
https://portswigger.net/daily-swig

Re: Media query - Git flaw

[Junio C Hamano]

Adam Bannister <adam.bannister@portswigger.net> writes:

> How did the disclosure and patching process go?

I guess "Just like any other project" would be enough for you to
understand, given what you write and where ;-)

A security researcher discloses a possible vulnerability to the
git-security mailing list, which is a closed list.  On the list,
there are developers with relatively high familiarity with the
entire codebase, and there are those who are responsible for
managing binary packaging of the software to various distributions.

We prepare the fix.  We review the fix.  We repeat until we agree
that the proposed fix is what we want to deliver.

We arrange the coordinated disclosure and release among distro
people and other stakeholders.

All of the above have to be done behind public.

Then we go public at the same time.  It happened at 1100 US/Pacific
on Apr 14th, 2020.  For this one, as the fix itself was relatively
straight-forward, the time it took between the initial contact and
the release was spent mostly to wait for the slowest partcipant in
the coordinated disclosure process (obviously I won't name names).

> What is your advice to Git users?

Release is announced and users are urged to upgrade, like you wrote
on your article at The Daily Swig.

Re: Media query - Git flaw

[Jeff King]

On Wed, Apr 15, 2020 at 08:19:18AM -0700, Junio C Hamano wrote:

> > What is your advice to Git users?
> 
> Release is announced and users are urged to upgrade, like you wrote
> on your article at The Daily Swig.

There's a little more detail and some workarounds discussed in the
advisory at:

 https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q

-Peff

Re: Media query - Git flaw

[Adam Bannister]

Forgot to say thanks for all your help and share the link!
https://portswigger.net/daily-swig/git-security-newline-injection-bug-tricked-version-control-system-into-leaking-usernames-and-password

Much appreciated...

On Wed, 15 Apr 2020 at 16:47, Jeff King <peff@peff.net> wrote:
>
> On Wed, Apr 15, 2020 at 08:19:18AM -0700, Junio C Hamano wrote:
>
> > > What is your advice to Git users?
> >
> > Release is announced and users are urged to upgrade, like you wrote
> > on your article at The Daily Swig.
>
> There's a little more detail and some workarounds discussed in the
> advisory at:
>
>  https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
>
> -Peff



-- 

Adam Bannister
The Daily Swig
https://portswigger.net/daily-swig