From: <rsbecker@nexbridge.com>
To: "'Krishnamurthy Ganesh B'" <ganeshsurfs@gmail.com>,
<git-security@googlegroups.com>, <git@vger.kernel.org>
Subject: RE: [bug] encryption of metadata in .git metadata file inside .git folder
Date: Mon, 23 Dec 2024 09:28:24 -0500 [thread overview]
Message-ID: <000a01db5546$f034b7a0$d09e26e0$@nexbridge.com> (raw)
In-Reply-To: <CAMmT1pJ0ReaX+g2_gFQ2oLUrzhR5wCXGvCj_WwDMXcfG2DNG_g@mail.gmail.com>
On December 23, 2024 7:04 AM, Krishnamurthy Ganesh B wrote:
>i am raising a git security red flag on the.git metadata files storing git logs, commits,
>and other metadata inside .git folder not encrypted using a two way salt or some
>other way like using a key for a two way encryption or some method of software
>encryption internally if / because the .git folder metadata is not encrypted.
>
>this has been raised to github before but will be raised again via hackerone security
>bug and to gitlab and altassian and other git repository source users if they are
>using their own internal modified sources.
>
>most of the errors like these will be directly closed.
>
>https://kondukto.io/blog/git-scm-affected-by-cve-2024-32002
>
>https://socradar.io/critical-security-updates-for-git-scm-cve-2024-32002-cve-
>2024-32004-lead-to-rce/
>
>https://stackoverflow.com/questions/45578579/what-file-metadata-is-
>preserved-by-git
>
>even packages like git-crypt do not encrypt metadata.
>https://github.com/AGWA/git-crypt
Have you explored using disk-level encryption to solve this? While I understand your
objective to "encrypt anything that might have data in it", there are solutions
independent of git what would cover most use cases. The problem with adding
symmetrical encryption to git is that it opens git up to export limitations and
related CVEs. It would also cause adoption issues with many organizations
who may have restrictions on whatever techniques git adopts to solve this.
My preferential solution is using COTS hardware encryption to solve protecting
data-at-rest content.
--Randall
next prev parent reply other threads:[~2024-12-23 14:28 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAMmT1pKVMB6ZUbsEdB0RqbWERauGVqgo_RbXj4j9+csXLHCStw@mail.gmail.com>
[not found] ` <CAMmT1pJnZxxD3wFikiDRCqZZMxO8P6EgVHe9mJEsfA8PK4-OfA@mail.gmail.com>
2024-12-23 12:03 ` [bug] encryption of metadata in .git metadata file inside .git folder Krishnamurthy Ganesh B
2024-12-23 14:28 ` rsbecker [this message]
[not found] ` <CAMmT1pLszvmQN06eUdnhZHpqDLrF2aaXFxdniumLt1x9MSdKfQ@mail.gmail.com>
2024-12-25 6:34 ` Krishnamurthy Ganesh B
2025-01-13 6:37 ` Krishnamurthy Ganesh B
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000a01db5546$f034b7a0$d09e26e0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=ganeshsurfs@gmail.com \
--cc=git-security@googlegroups.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).