Breaking Git with a carriage return and cloning RCE

More information here (https://github.blog/open-source/git/git-security-vulnerabili...) on the new CVE:

> When reading a configuration value, Git will strip any trailing carriage return (CR) and line feed (LF) characters. When writing a configuration value, however, Git does not quote trailing CR characters, causing them to be lost when they are read later on. When initializing a submodule whose path contains a trailing CR character, the stripped path is used, causing the submodule to be checked out in the wrong place.

> If a symlink already exists between the stripped path and the submodule’s hooks directory, an attacker can execute arbitrary code through the submodule’s post-checkout hook.

Along with a bunch of other git CVEs that are worth a look.

Yes, unfortunately it's pretty trivial. Any time arbitrary file write is possible, RCE is usually possible too.

[flagged]

This bug is orthogonal to one source of truth. It is a pure logic bug that could have existed in a standard system library for config files if such existed on Unix.

And consider that consequences of such bug would be much worse if it was in a standard system library. At least here it is limited mostly to developers where machines are updated.

Nitpick: the DSL here ("ini file format") is arguably ad-hoc, but it's extremely common and well-understood, and simple enough to make a common law specification work well enough in practice. The bug here wasn't due to the format. What you're actually complaining about is the hand-coded parser[1] sitting in the middle of a C program like a bomb waiting to go off. And, yes, that nonsense should have died decades ago.

There are places for clever hand code, even in C, even in the modern world. Data interchange is very not much not one of them. Just don't do this. If you want .ini, use toml. Use JSON if you don't. Even YAML is OK. Those with a penchant for pain like XML. And if you have convinced yourself your format must be binary (you're wrong, it doesn't), protobufs are there for you.

But absolutely, positively, never write a parser unless your job title is "programming language author". Use a library for this, even if you don't use libraries for anything else.

[1] Fine fine, lexer. We are nitpicking, after all.

[dead]

> no subprocesses

I guess you're okay with breaking all git hooks, including post-checkout, because those are subprocesses as a feature.

You can always run your git operations in a container with seccomp or such if you're not using any of the many features that it breaks

> And no subprocesses.

have you never used git over ssh?

It would be odd if it didn't. Although the goal of homebrew is to execute the code in the repo.

The only situation where the RCE here is a problem is if you clone github repos containing data you don't want to execute. That's fairly unusual.

https://github.com/Homebrew/homebrew-core/pull/229423 or brew install git --HEAD

As the article says: "I find this particularly interesting because this isn't fundamentally a problem of the software being written in C. These are logic errors that are possible in nearly all languages, the common factor being this is a vulnerability in the interprocess communication of the components (either between git and external processes, or within the components of git itself). It is possible to draw a parallel with CRLF injection as seen in HTTP (or even SMTP smuggling)."

You can write this in any language. None of them will stop you. I'm on the cutting edge of "stop using C", but this isn't C's fault.

We keep getting RCEs in C because tons of useful programs are written in C. If someone writes a useful program in Rust, we'll get RCEs in Rust.

The article refutes that somewhat:

> I find this particularly interesting because this isn't fundamentally a problem of the software being written in C. These are logic errors that are possible in nearly all languages, the common factor being this is a vulnerability in the interprocess communication of the components (either between git and external processes, or within the components of git itself).

C programmers don't see C problems. They see logic errors that are possible in any language.

As mentioned in the article, this is a logic error that has nothing to do with C strings.

If only it were just the c code that was causing people to be owned lol

Using other languages would likely fix the issue but as a side-effect. Most people would expect a C-vs-Rust comparison so I’ll take Go as an example.

Nobody would write the configuration parsing code by hand, and just use whatever TOML library available at hand for Go. No INI shenanigans, and people would just use any available stricter format (strings must be quoted in TOML).

So yeah, Rust and Go and Python and Java and Node and Ruby and whatnot would not have the bug just by virtue of having a package manager. The actual language is irrelevant.

However, whatever the language, the same hand implementation would have had the exact same bug.

Suppose the system call to list a directory examined the place on the disk where a filename should be, and found bytes representing ASCII control characters. Should it deny the existence of the corresponding file? Assume disk corruption? Something else? After all, maybe (this is admittedly more theoretical than practical) those bytes map to something else in the current locale. It's not like modern Windows which assumes the filenames are all UTF-16.

Because filenames (and all other strings) are just bags of bytes on unix based systems.

I am not sure if there's bias on my part after reading your comment but yes, it is bothersome.

yeah I see what you mean. it's like the anti-aliasing is broken