From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS31976 209.132.180.0/23 X-Spam-Status: No, score=-1.9 required=3.0 tests=AWL,BAYES_00,BODY_8BITS, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,FROM_STARTS_WITH_NUMS,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by dcvr.yhbt.net (Postfix) with ESMTP id B34551F466 for ; Wed, 15 Jan 2020 03:18:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728892AbgAODSk (ORCPT ); Tue, 14 Jan 2020 22:18:40 -0500 Received: from mail-40130.protonmail.ch ([185.70.40.130]:33151 "EHLO mail-40130.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728879AbgAODSk (ORCPT ); Tue, 14 Jan 2020 22:18:40 -0500 Date: Wed, 15 Jan 2020 03:18:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1579058317; bh=4iM4v7ZBKi1Klm5BdLfvceFOfkAY0XSZbxBaTLsQVzY=; h=Date:To:From:Reply-To:Subject:In-Reply-To:References:Feedback-ID: From; b=q6GQHrOgBQ5VLHE+Ve5KXzpHni64mqM3f08c+nA3neEugm2nEiRoueFwmhTrS4k+j jrUf1QbJwDQYTsmDb3WGgXR1JTO9Y7fBH3PKpZ4yszilPdK3OkYf8YFUnC7Z0XF3Fc 7tStwot1TDe+R0w0gsBpwuRTnBH/duOpXwJkBdao= To: Jeff King , "git@vger.kernel.org" From: 1234dev <1234dev@protonmail.com> Reply-To: 1234dev <1234dev@protonmail.com> Subject: Re: Can Git repos be hacked or otherwise manipulated? Message-ID: In-Reply-To: <20200114220826.GB3957260@coredump.intra.peff.net> References: <20200114220826.GB3957260@coredump.intra.peff.net> Feedback-ID: jm_lYfXrrNlRjeoYk2ubMr1Ofg3d6jxZVz74GfYfMumLfq3Q9_Z5n8vqkvDBYWSlKkQ9TIGL2Vvi-4DSzBFTyQ==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Hello Jeff and thank you for your response! To work around this problem, should we instead host this repo on a public s= ervice? If so which one would you recommend? --Jonathan Sent with ProtonMail Secure Email. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Tuesday, January 14, 2020 10:08 PM, Jeff King wrote: > On Tue, Jan 14, 2020 at 02:48:05PM +0000, 1234dev wrote: > > > Let's say you're working with a team of elite hackers, passing a > > tarball of a Git repo back and forth as you complete your mission. Now > > let's say one of them has malicious intent. What are the possibilities > > that he or she can, for instance, hide changes made to a script or > > binary that does something malicious if executed? Or perhaps maybe > > there are other such scenarios one should be made aware of? > > It is absolutely not safe to run Git commands from a tarball of an > untrusted repo. There are many ways to execute arbitrary code specified > by a config option, and you'd be getting recipients .git/config. > Likewise for hooks. > > And while we would consider it a bug if you can trigger a memory error > by reading a corrupted or malicious on-disk file, that's gotten way > less auditing than the code paths which take in objects from a remote. > So e.g., I would not be surprised if there are vulnerabilities that > could cause out-of-bounds reads of a corrupted .git/index. > > -Peff