What can I do to protect all my users from vulnerability to CVE-2014-9390 ?

天相 周 December 18, 2014

What can I do to protect all my users from vulnerability to CVE-2014-9390 ?  

Already suggested  the users to update their git clients, what else can I do on the server-side ?

And I noticed that repos hosted on github

"cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push. We have also completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data."

https://github.com/blog/1938-git-client-vulnerability-announced

1 answer

1 accepted

7 votes
Answer accepted
Bryan Turner
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 18, 2014

Tianxiang,

For the Stash side, foremost, upgrade the Git version on the server to a safe version. Once you've done that, you can enable exactly the same protections Github is enforcing with a couple new Git settings added with the fix:

  • git config --bool core.protectHFS true
  • git config --bool core.protectNTFS true
  • git config --bool receive.fsckObjects true

There are two ways to apply these settings to all of your Stash repositories:

  1. By adding "–global" to the "git config" commands above (git config --global --bool ...) and running the commands as the user running Stash (Usually "atlstash" if you've used our installer)
  2. By looping over each repository and running those three commands

To apply the settings to each repository, you could use (assuming you're running on Linux, and your current working directory is STASH_HOME/shared/data/repositories):

for repo in `ls`; do echo $repo; cd $repo; git config --bool core.protectHFS true; git config --bool core.protectNTFS true; git config --bool receive.fsckObjects true; cd ..; done

(Note that if you're running Stash 3.1 or older you'd run that same command in STASH_HOME/data/repositories, without "shared")

Further, just so you're aware, we're working on patch releases of Stash for 3.1 and higher that will automatically reconfigure all of your repositories this way, so you don't have to manually do this unless you're in a hurry to get your repositories locked down.

Note that applying these settings does nothing if you are not running a fixed version of Git on the server! With the settings applied, users who attempt to push exploit paths will see:

Aphrael:hfs-exploit bturner$ git push --all http://admin@localhost:7990/stash/scm/cve/9390-hfs-exploit.git
Password for 'http://admin@localhost:7990':
Counting objects: 8, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (8/8), 638 bytes | 0 bytes/s, done.
Total 8 (delta 0), reused 0 (delta 0)
remote: error: object 675271b397520010afaa76aa1a2e718aab02dd60:contains '.git'
remote: fatal: Error in object
error: unpack failed: unpack-objects abnormal exit
To http://admin@localhost:7990/stash/scm/cve/9390-hfs-exploit.git
 ! [remote rejected] master -> master (unpacker error)
error: failed to push some refs to 'http://admin@localhost:7990/stash/scm/cve/9390-hfs-exploit.git'

Hope this helps,
Bryan Turner
Atlassian Stash

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events