From: Jeff King <peff@peff.net>
To: Santiago Torres <santiago@nyu.edu>
Cc: Git <git@vger.kernel.org>
Subject: Re: [RFC] Malicously tampering git metadata?
Date: Thu, 17 Dec 2015 23:02:10 -0500 [thread overview]
Message-ID: <20151218040210.GA9585@sigill.intra.peff.net> (raw)
In-Reply-To: <20151216032639.GA1901@LykOS>
On Tue, Dec 15, 2015 at 10:26:39PM -0500, Santiago Torres wrote:
> An example of a malicious commit merge follows:
>
> 1) The attacker controlling or acting as the upstream server identifies
> two branches: one in which the unsuspecting developer is working on, and
> another in which a vulnerable piece of code is located.
One thing to make clear here: the side branch with the vulnerable code
must be a _new_ vulnerability that was not already part of the "main"
branch the developer is working on. That is, I do not immediately see a
way to resurrect an old vulnerability, because a merge of the old,
broken commit would not result in reintroducing it.
This is more about "there was experimental junk on branch X, and you
tricked some developer into pulling X onto Y, and now Y unexpectedly has
the junk on it". And I agree with Stefan that push-certs are the
intended defense against this.
Of course, in the real world things are much easier. Most projects do
not sign commits at all, let alone use push certs. If developers are
pulling from a compromised server, then you can simply make up whatever
broken commits you want, and there's no way to tell the difference
between them and the real commits.
-Peff
next prev parent reply other threads:[~2015-12-18 4:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-16 3:26 [RFC] Malicously tampering git metadata? Santiago Torres
2015-12-16 7:20 ` Stefan Beller
2015-12-18 1:06 ` Santiago Torres
2015-12-18 3:55 ` Jeff King
2015-12-18 4:02 ` Jeff King [this message]
2015-12-18 23:10 ` Theodore Ts'o
2015-12-19 17:30 ` Santiago Torres
2015-12-20 1:28 ` Theodore Ts'o
2016-01-12 18:21 ` Santiago Torres
2016-01-12 18:39 ` Stefan Beller
2016-01-14 17:16 ` Santiago Torres
2016-01-14 17:21 ` Stefan Beller
2016-01-22 18:00 ` Santiago Torres
2016-01-22 18:51 ` Stefan Beller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151218040210.GA9585@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=santiago@nyu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).