
Server and Client RCE in Git version 2.7.1 and below - breadtk
http://seclists.org/oss-sec/2016/q1/645
======
Mojah
A couple of thoughts on the potential impact: [https://ma.ttias.be/remote-
code-execution-git-versions-clien...](https://ma.ttias.be/remote-code-
execution-git-versions-client-
server-2-7-1-cve-2016-2324-cve-2016%E2%80%912315/)

Server-side: github & bitbucket will get patched quickly, if they're even
still vulnerable. Self-hosted installations like Gitlab will be more
difficult, as it requires sysadmins to patch themselves. History has thought
us this takes too long.

Client-side: possibly the biggest impact, as nearly every Linux distribution
ships vulnerable versions. Any kind of local system user activity could
trigger the RCE. Technically, that includes any PHP, Ruby or Python site that
allows shell commands to be executed - which, by default, they nearly all do.

It has all the potential to be huge.

~~~
sytse
At GitLab this was fixed with [https://gitlab.com/gitlab-org/gitlab-
ce/merge_requests/3240](https://gitlab.com/gitlab-org/gitlab-
ce/merge_requests/3240) which we plan to release tomorrow in 8.5.7
[https://gitlab.com/gitlab-org/gitlab-
ce/issues/14308](https://gitlab.com/gitlab-org/gitlab-ce/issues/14308)

~~~
sytse
You can already download the fixed packages of 8.5.7 right now.

~~~
sytse
And the blog post is out
[https://about.gitlab.com/2016/03/16/gitlab-8-dot-5-dot-7-rel...](https://about.gitlab.com/2016/03/16/gitlab-8-dot-5-dot-7-released/)

~~~
sofaofthedamned
Nice, thanks for the fast response!

~~~
sytse
You're very welcome.

------
krallin
Note: if you're using Ubuntu, there is a semi-official PPA that has a non-
vulnerable version (2.7.3): [https://launchpad.net/~git-
core/+archive/ubuntu/ppa](https://launchpad.net/~git-core/+archive/ubuntu/ppa)

~~~
wyldfire
But a fix should come via the normal update channel soon? I'm on wily, should
I expect to add this PPA or risk vulnerability?

~~~
voltagex_
Ubuntu should announce the fix at
[https://www.ubuntu.com/usn/](https://www.ubuntu.com/usn/) but I can't load
the page right now.

(removed DSA link as per advice below)

~~~
0x0
That Debian advisory is a different, older vulnerability. Looks like they know
about it but haven't released anything yet:

[https://security-tracker.debian.org/tracker/source-
package/g...](https://security-tracker.debian.org/tracker/source-package/git)

~~~
voltagex_
Oops, thanks.

------
mappu
Times like this i'm glad i'm still on Mercurial (no `strcpy` overflows in
Python). Is anyone planning on writing a DVCS in Rust?

~~~
tom9729
It wouldn't have to be a new DVCS. It could be a Rust implementation of Git.
e.g. Java Git implementation (JGit) used by Eclipse, Gerrit, etc.

~~~
kibwen
Pijul, linked in a sibling comment, appears to actually be a Rust
implementation of Darcs (or at least inspired by it).

~~~
pijul
Pijul is not a reimplementation of darcs, it's based on a new theory, without
the performance drawbacks of darcs.

Btw, rewriting darcs would really feel like reinventing the wheel. Haskell is
safe and great already.

------
sergioocon
[https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2315](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2315)

------
0x0
Sounds like this could be a big deal for bitbucket.org and gitlab.com? Esp.
considering private repositories there.

~~~
sytse
For sure a big deal, we're deploying GitLab.com as we speak
[https://twitter.com/gitlabstatus/status/709888872549847040](https://twitter.com/gitlabstatus/status/709888872549847040)

~~~
sytse
And GitLab.com us updated. If someone finds anything please contact us
[https://about.gitlab.com/disclosure/](https://about.gitlab.com/disclosure/)

------
koleslaw
BitBucket Cloud is currently on Git 2.1.1.1.g1fb337f (Version Info link in the
footer [https://bitbucket.org/support](https://bitbucket.org/support)). Anyone
know what about GitHub?

------
Mojah
Public mirror here if the official ones go down: [https://marc.ttias.be/oss-
security/2016-03/msg00180.php](https://marc.ttias.be/oss-
security/2016-03/msg00180.php)

------
swiley
Git kind of implies that you're going to execute something from the remote end
anyway so it's not something like hartbleed....

~~~
teamhappy
Remote code execution is worse than Heartbleed.

~~~
swiley
Oops, my bad. I didn't realize this was a server side issue, that is pretty
bad.

