[Advisory] SECURITY BUG in BitKeeper - Carl-Daniel Hailfinger

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Carl-Daniel Hailfinger <hailfinger-lists@syss.de>
To: bugtraq@securityfocus.com
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: [Advisory] SECURITY BUG in BitKeeper
Date: Tue, 19 Aug 2003 01:09:44 +0200	[thread overview]
Message-ID: <3F415CB8.9080801@SySS.de> (raw)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SySS Security Advisory

Date: 2003-07-25 (Published 2003-08-19)

Author: Carl-Daniel Hailfinger <hailfinger-lists@SySS.de>
        SySS GmbH
        72070 Tübingen / Germany
        Phone: +49-7071-407856-0
        http://www.syss.de

Permanent URL: http://www.syss.de/advisories.php?id=7&year=2003

Application: BitKeeper

Affected versions: All versions <3.0.2

Application notes: BitKeeper is an advanced source code control system
like CVS, see http://www.bitkeeper.com

Vendor status: The vendor of BitKeeper is aware of the problem and has
documented it since at least two years. BitMover has been contacted by me
on 2003-07-25.

Type: Configuration error: insecure by default, fix is documented

Description: Certain parts of the trigger functionality in BitKeeper can
be abused by an attacker if a user accepts a patch containing specially
crafted files.

Severity: Critical.

Affected persons: Any user running bitkeeper and accepting patches from
outside of a trusted network - possibly the majority of Linux Kernel
developers.

Additional notes: I have an exploit readily available.

Because of the severity of this issue, BitMover has been contacted and is
working with SySS and the BK users to resolve the issue before exposing
the details of the problem.  There will be a followup security advisory in
2-4 weeks, after people feel that the problem has been contained; the
followup will disclose the details of the problem.

Workaround: If you are worried about it you can add
	export BK_NO_TRIGGERS=YES
to your .profile and the trigger functionality will be disabled.

Regards,
Carl-Daniel

- --
Carl-Daniel Hailfinger
Security Consultant
SySS GmbH
Friedrich-Dannenmann-Str. 2
D-72070 Tuebingen
Phone: +49-7071-407856-0
Mail: hailfinger-lists@syss.de
http://www.syss.de
Key fingerprint: B35E 0E38 9A18 3B25 209F  002E 4743 1599 A495 B6E5

-----BEGIN PGP SIGNATURE-----

iD4DBQE/QVyyR0MVmaSVtuURAq+uAJ0bE5rl7Khcz6R2T+hM8NJH/9fLqACY+J/T
z5E2BbUC9xxR4IR4LdOxcw==
=p2oN
-----END PGP SIGNATURE-----

                 reply	other threads:[~2003-08-19 21:14 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3F415CB8.9080801@SySS.de \
    --to=hailfinger-lists@syss.de \
    --cc=bugtraq@securityfocus.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox