Bump regex from 1.10.4 to 1.10.5 (#1371) #3417
Security advisories found
7 advisory(ies), 2 unmaintained, 2 other
Details
Vulnerabilities
RUSTSEC-2024-0350
Traversal outside working tree enables arbitrary code execution
Details | |
---|---|
Package | gix-fs |
Version | 0.7.0 |
URL | GHSA-7w47-3wg8-547c |
Date | 2024-05-22 |
Patched versions | >=0.11.0 |
Summary
During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
Details
Although gix-worktree-state
checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs
and gix-worktree
prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git
directory. The simplest cases are:
- A tree named
..
to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon. - A tree named
.git
to enter a.git
directory. This facilitates arbitrary code execution because hooks can be installed.
A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:
- A tree or blob whose name contains one or more
/
, to traverse upward or downward. For example, even without containing any tree named..
or.git
, a repository can represent a file named../outside
or.git/hooks/pre-commit
. This is distinct from the more intuitive case a repository containing trees that represent those paths. - In Windows, a tree or blob whose name contains one or more
\
, to traverse upward or downward. (Unlike/
, these are valid on other systems.) See GHSA-xjx4-8694-q2fq. - On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of
.git
. - On HFS+, a tree named like
.git
or a case variant, with characters added that HFS+ ignores in collation. See git/git@6162a1d. - On NTFS, a tree equivalent to
.git
(or a case variant) by the use of NTFS stream notation, such as.git::$INDEX_ALLOCATION
. See GHSA-5wph-8frv-58vj. - On an NTFS volume with 8.3 aliasing enabled, a tree named as
git~1
(or a case variant). See GHSA-589j-mmg9-733v.
When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.
PoC
For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed
supports -i
, which is the case on most systems. If using Windows, a Git Bash shell should be used.
Example: Downward traversal to install hooks
- Create a new repository with
git init dangerous-repo-installs-hook
andcd
into the directory. - Create the stand-in called
.git@hooks@pre-commit
, with the contents:#!/bin/sh printf 'Vulnerable!\n' date >vulnerable
- Stage the stand-in:
git add --chmod=+x .git@hooks@pre-commit
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, on another or the same machine:
- Clone the repository with a
gix clone …
command. - Enter the newly created directory.
- Optionally run
ls -l .git/hooks
to observe that thepre-commit
hook is already present. - Make a new file and commit it with
git
. This causes the payload surreptitiously installed as apre-commit
hook to run, printing the messageVulnerable!
and creating a file in the current directory containing the current date and time.
Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit
is capable of.
Example: Upward traversal to create a file above the working tree
- Create a new repository with
git init dangerous-repo-reaches-up
, andcd
into the directory. - Create the stand-in:
echo 'A file outside the working tree, somehow.' >..@outside
- Stage the stand-in:
git add ..@outside
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, as above, on the same or another machine, clone the repository with a gix clone …
command. Observe that a file named outside
is present alongside (not inside) the cloned directory.
Impact
Any use of gix
or another application that makes use of gix-worktree-state
, or otherwise relies on gix-fs
and gix-worktree
for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.
In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix
is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.
RUSTSEC-2024-0350
Traversal outside working tree enables arbitrary code execution
Details | |
---|---|
Package | gix-fs |
Version | 0.8.1 |
URL | GHSA-7w47-3wg8-547c |
Date | 2024-05-22 |
Patched versions | >=0.11.0 |
Summary
During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
Details
Although gix-worktree-state
checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs
and gix-worktree
prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git
directory. The simplest cases are:
- A tree named
..
to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon. - A tree named
.git
to enter a.git
directory. This facilitates arbitrary code execution because hooks can be installed.
A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:
- A tree or blob whose name contains one or more
/
, to traverse upward or downward. For example, even without containing any tree named..
or.git
, a repository can represent a file named../outside
or.git/hooks/pre-commit
. This is distinct from the more intuitive case a repository containing trees that represent those paths. - In Windows, a tree or blob whose name contains one or more
\
, to traverse upward or downward. (Unlike/
, these are valid on other systems.) See GHSA-xjx4-8694-q2fq. - On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of
.git
. - On HFS+, a tree named like
.git
or a case variant, with characters added that HFS+ ignores in collation. See git/git@6162a1d. - On NTFS, a tree equivalent to
.git
(or a case variant) by the use of NTFS stream notation, such as.git::$INDEX_ALLOCATION
. See GHSA-5wph-8frv-58vj. - On an NTFS volume with 8.3 aliasing enabled, a tree named as
git~1
(or a case variant). See GHSA-589j-mmg9-733v.
When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.
PoC
For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed
supports -i
, which is the case on most systems. If using Windows, a Git Bash shell should be used.
Example: Downward traversal to install hooks
- Create a new repository with
git init dangerous-repo-installs-hook
andcd
into the directory. - Create the stand-in called
.git@hooks@pre-commit
, with the contents:#!/bin/sh printf 'Vulnerable!\n' date >vulnerable
- Stage the stand-in:
git add --chmod=+x .git@hooks@pre-commit
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, on another or the same machine:
- Clone the repository with a
gix clone …
command. - Enter the newly created directory.
- Optionally run
ls -l .git/hooks
to observe that thepre-commit
hook is already present. - Make a new file and commit it with
git
. This causes the payload surreptitiously installed as apre-commit
hook to run, printing the messageVulnerable!
and creating a file in the current directory containing the current date and time.
Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit
is capable of.
Example: Upward traversal to create a file above the working tree
- Create a new repository with
git init dangerous-repo-reaches-up
, andcd
into the directory. - Create the stand-in:
echo 'A file outside the working tree, somehow.' >..@outside
- Stage the stand-in:
git add ..@outside
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, as above, on the same or another machine, clone the repository with a gix clone …
command. Observe that a file named outside
is present alongside (not inside) the cloned directory.
Impact
Any use of gix
or another application that makes use of gix-worktree-state
, or otherwise relies on gix-fs
and gix-worktree
for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.
In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix
is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.
RUSTSEC-2024-0352
Refs and paths with reserved Windows device names access the devices
Details | |
---|---|
Package | gix-index |
Version | 0.25.0 |
URL | GHSA-49jc-r788-3fc9 |
Date | 2024-05-22 |
Patched versions | >=0.33.0 |
Summary
On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.
Details
It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:
- In references,
gix-ref
does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited. - In paths,
gix-worktree-state
does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.
Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:
- Reading a ref whose last component (e.g., tag name) is
CON
orCONIN$
reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks. - Checking out a file named
CON
orCONOUT$
writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.
Another potentially important case is serial ports. For example, COM1
refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.
Naming Files, Paths, and Namespaces covers most reserved names. CONIN$
and CONOUT$
are also special, and are similar in effect to CON
but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt
is equivalent to CON
) and with some variations involving added spaces or colons.
PoC
Ref example
Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON
to create a lightweight tag named CON
. Place the repository somewhere it can be cloned on Windows. A file://
URL is sufficient for testing if a private remote is unavailable. If using git push
, pass --tags
so the remote has the tag.
On a Windows system, clone the repository with gix clone
. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with <kbd>Ctrl</kbd>+<kbd>C</kbd>.
However, if desired, input can be provided. Ending input with <kbd>Ctrl</kbd>+<kbd>Z</kbd> followed by <kbd>Enter</kbd> will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.
Path example
Create a repository on a non-Windows system (or in WSL) and commit a file named CON
with the contents:
warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file://
URL is sufficient.
On a Windows system, clone the repository with gix clone
. The output usually looks like this, with the deceptive message appearing to come from gix
:
warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
04:45:15 Resolving done 3.0 objects in 0.05s (58.0 objects/s)
04:45:15 Decoding done 309B in 0.05s (6.0KB/s)
04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
04:45:15 create index file done 3.0 objects in 0.05s (55.0 objects/s)
04:45:15 read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype
Caused by:
Incorrect function. (os error 1)
The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error:
line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.
Impact
If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.
The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.
For attacks using the CON
or CONOUT$
device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix
appears to recommend it. The user may then be misled into running an attacker's command.
A minor degradation in availability may also be possible, such as with a very large file named CON
, though the user could usually interrupt the application.
RUSTSEC-2024-0348
Traversal outside working tree enables arbitrary code execution
Details | |
---|---|
Package | gix-index |
Version | 0.25.0 |
URL | GHSA-7w47-3wg8-547c |
Date | 2024-05-22 |
Patched versions | >=0.33.0 |
Summary
During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
Details
Although gix-worktree-state
checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs
and gix-worktree
prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git
directory. The simplest cases are:
- A tree named
..
to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon. - A tree named
.git
to enter a.git
directory. This facilitates arbitrary code execution because hooks can be installed.
A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:
- A tree or blob whose name contains one or more
/
, to traverse upward or downward. For example, even without containing any tree named..
or.git
, a repository can represent a file named../outside
or.git/hooks/pre-commit
. This is distinct from the more intuitive case a repository containing trees that represent those paths. - In Windows, a tree or blob whose name contains one or more
\
, to traverse upward or downward. (Unlike/
, these are valid on other systems.) See GHSA-xjx4-8694-q2fq. - On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of
.git
. - On HFS+, a tree named like
.git
or a case variant, with characters added that HFS+ ignores in collation. See git/git@6162a1d. - On NTFS, a tree equivalent to
.git
(or a case variant) by the use of NTFS stream notation, such as.git::$INDEX_ALLOCATION
. See GHSA-5wph-8frv-58vj. - On an NTFS volume with 8.3 aliasing enabled, a tree named as
git~1
(or a case variant). See GHSA-589j-mmg9-733v.
When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.
PoC
For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed
supports -i
, which is the case on most systems. If using Windows, a Git Bash shell should be used.
Example: Downward traversal to install hooks
- Create a new repository with
git init dangerous-repo-installs-hook
andcd
into the directory. - Create the stand-in called
.git@hooks@pre-commit
, with the contents:#!/bin/sh printf 'Vulnerable!\n' date >vulnerable
- Stage the stand-in:
git add --chmod=+x .git@hooks@pre-commit
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, on another or the same machine:
- Clone the repository with a
gix clone …
command. - Enter the newly created directory.
- Optionally run
ls -l .git/hooks
to observe that thepre-commit
hook is already present. - Make a new file and commit it with
git
. This causes the payload surreptitiously installed as apre-commit
hook to run, printing the messageVulnerable!
and creating a file in the current directory containing the current date and time.
Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit
is capable of.
Example: Upward traversal to create a file above the working tree
- Create a new repository with
git init dangerous-repo-reaches-up
, andcd
into the directory. - Create the stand-in:
echo 'A file outside the working tree, somehow.' >..@outside
- Stage the stand-in:
git add ..@outside
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, as above, on the same or another machine, clone the repository with a gix clone …
command. Observe that a file named outside
is present alongside (not inside) the cloned directory.
Impact
Any use of gix
or another application that makes use of gix-worktree-state
, or otherwise relies on gix-fs
and gix-worktree
for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.
In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix
is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.
RUSTSEC-2024-0351
Refs and paths with reserved Windows device names access the devices
Details | |
---|---|
Package | gix-ref |
Version | 0.38.0 |
URL | GHSA-49jc-r788-3fc9 |
Date | 2024-05-22 |
Patched versions | >=0.44.0 |
Summary
On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.
Details
It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:
- In references,
gix-ref
does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited. - In paths,
gix-worktree-state
does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.
Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:
- Reading a ref whose last component (e.g., tag name) is
CON
orCONIN$
reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks. - Checking out a file named
CON
orCONOUT$
writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.
Another potentially important case is serial ports. For example, COM1
refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.
Naming Files, Paths, and Namespaces covers most reserved names. CONIN$
and CONOUT$
are also special, and are similar in effect to CON
but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt
is equivalent to CON
) and with some variations involving added spaces or colons.
PoC
Ref example
Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON
to create a lightweight tag named CON
. Place the repository somewhere it can be cloned on Windows. A file://
URL is sufficient for testing if a private remote is unavailable. If using git push
, pass --tags
so the remote has the tag.
On a Windows system, clone the repository with gix clone
. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with <kbd>Ctrl</kbd>+<kbd>C</kbd>.
However, if desired, input can be provided. Ending input with <kbd>Ctrl</kbd>+<kbd>Z</kbd> followed by <kbd>Enter</kbd> will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.
Path example
Create a repository on a non-Windows system (or in WSL) and commit a file named CON
with the contents:
warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file://
URL is sufficient.
On a Windows system, clone the repository with gix clone
. The output usually looks like this, with the deceptive message appearing to come from gix
:
warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
04:45:15 Resolving done 3.0 objects in 0.05s (58.0 objects/s)
04:45:15 Decoding done 309B in 0.05s (6.0KB/s)
04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
04:45:15 create index file done 3.0 objects in 0.05s (55.0 objects/s)
04:45:15 read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype
Caused by:
Incorrect function. (os error 1)
The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error:
line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.
Impact
If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.
The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.
For attacks using the CON
or CONOUT$
device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix
appears to recommend it. The user may then be misled into running an attacker's command.
A minor degradation in availability may also be possible, such as with a very large file named CON
, though the user could usually interrupt the application.
RUSTSEC-2024-0353
Refs and paths with reserved Windows device names access the devices
Details | |
---|---|
Package | gix-worktree |
Version | 0.26.0 |
URL | GHSA-49jc-r788-3fc9 |
Date | 2024-05-22 |
Patched versions | >=0.34.0 |
Summary
On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.
Details
It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:
- In references,
gix-ref
does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited. - In paths,
gix-worktree-state
does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.
Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:
- Reading a ref whose last component (e.g., tag name) is
CON
orCONIN$
reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks. - Checking out a file named
CON
orCONOUT$
writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.
Another potentially important case is serial ports. For example, COM1
refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.
Naming Files, Paths, and Namespaces covers most reserved names. CONIN$
and CONOUT$
are also special, and are similar in effect to CON
but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt
is equivalent to CON
) and with some variations involving added spaces or colons.
PoC
Ref example
Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON
to create a lightweight tag named CON
. Place the repository somewhere it can be cloned on Windows. A file://
URL is sufficient for testing if a private remote is unavailable. If using git push
, pass --tags
so the remote has the tag.
On a Windows system, clone the repository with gix clone
. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with <kbd>Ctrl</kbd>+<kbd>C</kbd>.
However, if desired, input can be provided. Ending input with <kbd>Ctrl</kbd>+<kbd>Z</kbd> followed by <kbd>Enter</kbd> will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.
Path example
Create a repository on a non-Windows system (or in WSL) and commit a file named CON
with the contents:
warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file://
URL is sufficient.
On a Windows system, clone the repository with gix clone
. The output usually looks like this, with the deceptive message appearing to come from gix
:
warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
04:45:15 Resolving done 3.0 objects in 0.05s (58.0 objects/s)
04:45:15 Decoding done 309B in 0.05s (6.0KB/s)
04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
04:45:15 create index file done 3.0 objects in 0.05s (55.0 objects/s)
04:45:15 read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype
Caused by:
Incorrect function. (os error 1)
The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error:
line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.
Impact
If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.
The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.
For attacks using the CON
or CONOUT$
device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix
appears to recommend it. The user may then be misled into running an attacker's command.
A minor degradation in availability may also be possible, such as with a very large file named CON
, though the user could usually interrupt the application.
RUSTSEC-2024-0349
Traversal outside working tree enables arbitrary code execution
Details | |
---|---|
Package | gix-worktree |
Version | 0.26.0 |
URL | GHSA-7w47-3wg8-547c |
Date | 2024-05-22 |
Patched versions | >=0.34.0 |
Summary
During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
Details
Although gix-worktree-state
checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs
and gix-worktree
prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git
directory. The simplest cases are:
- A tree named
..
to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon. - A tree named
.git
to enter a.git
directory. This facilitates arbitrary code execution because hooks can be installed.
A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:
- A tree or blob whose name contains one or more
/
, to traverse upward or downward. For example, even without containing any tree named..
or.git
, a repository can represent a file named../outside
or.git/hooks/pre-commit
. This is distinct from the more intuitive case a repository containing trees that represent those paths. - In Windows, a tree or blob whose name contains one or more
\
, to traverse upward or downward. (Unlike/
, these are valid on other systems.) See GHSA-xjx4-8694-q2fq. - On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of
.git
. - On HFS+, a tree named like
.git
or a case variant, with characters added that HFS+ ignores in collation. See git/git@6162a1d. - On NTFS, a tree equivalent to
.git
(or a case variant) by the use of NTFS stream notation, such as.git::$INDEX_ALLOCATION
. See GHSA-5wph-8frv-58vj. - On an NTFS volume with 8.3 aliasing enabled, a tree named as
git~1
(or a case variant). See GHSA-589j-mmg9-733v.
When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.
PoC
For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed
supports -i
, which is the case on most systems. If using Windows, a Git Bash shell should be used.
Example: Downward traversal to install hooks
- Create a new repository with
git init dangerous-repo-installs-hook
andcd
into the directory. - Create the stand-in called
.git@hooks@pre-commit
, with the contents:#!/bin/sh printf 'Vulnerable!\n' date >vulnerable
- Stage the stand-in:
git add --chmod=+x .git@hooks@pre-commit
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, on another or the same machine:
- Clone the repository with a
gix clone …
command. - Enter the newly created directory.
- Optionally run
ls -l .git/hooks
to observe that thepre-commit
hook is already present. - Make a new file and commit it with
git
. This causes the payload surreptitiously installed as apre-commit
hook to run, printing the messageVulnerable!
and creating a file in the current directory containing the current date and time.
Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit
is capable of.
Example: Upward traversal to create a file above the working tree
- Create a new repository with
git init dangerous-repo-reaches-up
, andcd
into the directory. - Create the stand-in:
echo 'A file outside the working tree, somehow.' >..@outside
- Stage the stand-in:
git add ..@outside
- Edit the index:
env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index
- Commit:
git commit -m 'Initial commit'
- Optionally, push to a private remote.
Then, as above, on the same or another machine, clone the repository with a gix clone …
command. Observe that a file named outside
is present alongside (not inside) the cloned directory.
Impact
Any use of gix
or another application that makes use of gix-worktree-state
, or otherwise relies on gix-fs
and gix-worktree
for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.
In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix
is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.
Warnings
RUSTSEC-2021-0139
ansi_term is Unmaintained
Details | |
---|---|
Status | unmaintained |
Package | ansi_term |
Version | 0.12.1 |
URL | ogham/rust-ansi-term#72 |
Date | 2021-08-18 |
The maintainer has advised that this crate is deprecated and will not receive any maintenance.
The crate does not seem to have much dependencies and may or may not be ok to use as-is.
Last release seems to have been three years ago.
Possible Alternative(s)
The below list has not been vetted in any way and may or may not contain alternatives;
Dependency Specific Migration(s)
RUSTSEC-2020-0163
term_size
is unmaintained; useterminal_size
instead
Details | |
---|---|
Status | unmaintained |
Package | term_size |
Version | 0.3.2 |
URL | clap-rs/term_size-rs#31 |
Date | 2020-11-03 |
The term_size
crate is no longer maintained. Consider using
terminal_size
instead.