There were coordinated releases today of Git, Hg, and SVN to patch a
vulnerability associated with the use of "ssh://" in those systems.
If the hostname or some other property of the URL could be manipulated
to begin with a "-" character, then the constructed "ssh" command
would understand the name to be an option instead.  Apparently this
could lead to an attack in Git, Hg, and SVN.

I do not think that the attack surface is quite as big in Fossil.  (1)
Hardly anybody uses "ssh://" with Fossil since it works so very well
with "http://";.  (2) The "ssh://" URL cannot be embedded inside of
Fossil, making it difficult to obscure the attack.  In order to work
with Fossil, the attacker must convince the victim to run a "sync" or
"clone" with a very dodgy-looking ssh:// URL.

I've checked in a fix for the problem in Fossil.  Please audit to
confirm that I did not miss anything.

I don't feel a particular need to rush out a new release containing
this fix.  But I am open to arguments to the contrary, if you feel
differently.

-- 
D. Richard Hipp
d...@sqlite.org
_______________________________________________
fossil-dev mailing list
fossil-dev@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/fossil-dev

Reply via email to