Re: git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands
- Date: Mon, 5 Feb 2018 12:43:12 -0800
- From: Jonathan Nieder <jrnieder@xxxxxxxxx>
- Subject: Re: git: CVE-2018-1000021: client prints server sent ANSI escape codes to the terminal, allowing for unverified messages to potentially execute arbitrary commands
Salvatore Bonaccorso wrote:
> the following vulnerability was published for git.
> |client prints server sent ANSI escape codes to the terminal, allowing
> |for unverified messages to potentially execute arbitrary commands
> Creating this bug to track the issue in the BTS. Apparently the CVE
> was sssigned without notifying/discussing it with upstream, at least
> according to .
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> For further information see:
>  https://security-tracker.debian.org/tracker/CVE-2018-1000021
>  https://bugzilla.novell.com/show_bug.cgi?id=1079389#c1
Thanks. Upstream was notified about this and we dropped the ball on
passing it on to a more public forum. Sorry about that.
I'd be interested in your advice on this. There are cases where the
user may *want* ANSI escape codes to be passed through without change
and other cases where the user doesn't want that. Commands like "git
diff" pass their output through a pager by default, which itself may
or may not sanitize the output.
In other words, there are multiple components at play:
1. A terminal. IMHO, it is completely inexcusable these days for a
terminal to allow arbitrary code execution by writing output to
it. If bugs of that kind still exist, I think we should fix them
(and perhaps even make it a requirement in Debian policy to make
the expectations clear for new terminals).
That said, for defense in depth, it can be useful to also guard
against this kind of issue in other components. In particular:
2. A pager. Are there clear guidelines for what it is safe and not
safe for a pager to write to a terminal?
"less -R" tries to only allow ANSI "color" escape sequences
through but I wouldn't be surprised if there are some cases it
3. Output formats. Some git commands are designed for scripting
and do not have a sensible way to sanitize their output without
breaking scripts. Fortunately, in the case of "git diff", git
has a notion of a "binary patch" where everything is sanitized,
at the cost of the output being unreadable to a human (email-safe
characters but not something that a human can read at a glance).
So if we know what sequences to avoid writing to stdout, then we
can treat files with those sequences as binary.