git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: 1234dev <1234dev@protonmail.com>
To: Jeff King <peff@peff.net>, "git@vger.kernel.org" <git@vger.kernel.org>
Subject: Re: Can Git repos be hacked or otherwise manipulated?
Date: Wed, 15 Jan 2020 03:18:34 +0000	[thread overview]
Message-ID: <bvMqhQOr4uENl8j2zcFOY0ogJmUqTRofCGyPlPc_xaXQXSP5ds9lgdglXkjTZng9U5WSpo-Uc2_SzCTdpAvLTeruT-tW3GTDkWj9dfLznuM=@protonmail.com> (raw)
In-Reply-To: <20200114220826.GB3957260@coredump.intra.peff.net>

Hello Jeff and thank you for your response!

To work around this problem, should we instead host this repo on a public service? If so which one would you recommend?

--Jonathan

Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, January 14, 2020 10:08 PM, Jeff King <peff@peff.net> wrote:

> On Tue, Jan 14, 2020 at 02:48:05PM +0000, 1234dev wrote:
>
> > Let's say you're working with a team of elite hackers, passing a
> > tarball of a Git repo back and forth as you complete your mission. Now
> > let's say one of them has malicious intent. What are the possibilities
> > that he or she can, for instance, hide changes made to a script or
> > binary that does something malicious if executed? Or perhaps maybe
> > there are other such scenarios one should be made aware of?
>
> It is absolutely not safe to run Git commands from a tarball of an
> untrusted repo. There are many ways to execute arbitrary code specified
> by a config option, and you'd be getting recipients .git/config.
> Likewise for hooks.
>
> And while we would consider it a bug if you can trigger a memory error
> by reading a corrupted or malicious on-disk file, that's gotten way
> less auditing than the code paths which take in objects from a remote.
> So e.g., I would not be surprised if there are vulnerabilities that
> could cause out-of-bounds reads of a corrupted .git/index.
>
> -Peff



  reply	other threads:[~2020-01-15  3:18 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-14 14:48 Can Git repos be hacked or otherwise manipulated? 1234dev
2020-01-14 22:08 ` Jeff King
2020-01-15  3:18   ` 1234dev [this message]
2020-01-15  3:43     ` Jonathan Nieder
2020-01-15 18:01     ` Jeff King
2020-01-16 20:15       ` Junio C Hamano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='bvMqhQOr4uENl8j2zcFOY0ogJmUqTRofCGyPlPc_xaXQXSP5ds9lgdglXkjTZng9U5WSpo-Uc2_SzCTdpAvLTeruT-tW3GTDkWj9dfLznuM=@protonmail.com' \
    --to=1234dev@protonmail.com \
    --cc=git@vger.kernel.org \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).