|
| From: | graydon hoare |
| Subject: | [Monotone-devel] security issue |
| Date: | Thu, 03 Feb 2005 10:30:35 -0500 |
| User-agent: | Mozilla Thunderbird 1.0 (X11/20041206) |
hi,last night I posted a change which addresses a security hole in monotone: several lua hooks were running os.execute() which in turn ran system() on a string. since this string included user data (file_paths), and file_path syntax has relaxed significantly to permit whitespace and semicolons, it was possible to encode shell commands in file_paths and have hooks execute them. if you happened to do an update or merge from a "trusted" source (which is weakly defined under the default rules) you might have been vulnerable to this form of attack.
I've replaced instances of os.execute() with calls to fork, execvp, and wait, and removed the system() and popen() paths from the lua library. if you're using monotone in a setting with not-really-well-trusted contributors, you might want to upgrade to a development head after 4899e5fe2e92124ac6ba4223aa4b80305e2a5aa8.
(I don't really know what the protocol is for this, or more serious security notices; presumably at some level of visibility and maturity it'll be the "right" thing to do to file a vulnerability report with various parties.. but is that sort of thing necessary while we're still an alpha project with rapidly changing code? I don't know. any advice?)
-graydon
| [Prev in Thread] | Current Thread | [Next in Thread] |