--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Am Freitag, 15. Juni 2018 18:49:53 UTC+2 schrieb Darragh Bailey:Hi,Based on https://eclipse.googlesource.com/jgit/jgit/+/c86dcba7c45246562e07f952dcbbf44f9fc957c5 I'm wondering if there is any exposure to the recent zip-slip vulnerability in Gerrit?Presumably if it is at all possible it's limited to a malicious users who already has authenticated access? Where they could manage to upload a pack file via a review and force Gerrit to unpack over a sensitive location by visiting via the web ui to look at the review?Darragh
According to the relevant commit: https://eclipse.googlesource.com/jgit/jgit/+/0d908de53f5623223791dca59a1464d4cf2e3a51
ZipSlip is not a jgit vulnerability, but a maven one.
As gerrit does not use maven (unless you want to build some ancient version) I would not expect gerrit to be affected.
Björn
--
On Mon, Jun 18, 2018 at 1:51 PM 'Björn Pedersen' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:
Am Freitag, 15. Juni 2018 18:49:53 UTC+2 schrieb Darragh Bailey:Hi,Based on https://eclipse.googlesource.com/jgit/jgit/+/c86dcba7c45246562e07f952dcbbf44f9fc957c5 I'm wondering if there is any exposure to the recent zip-slip vulnerability in Gerrit?Presumably if it is at all possible it's limited to a malicious users who already has authenticated access? Where they could manage to upload a pack file via a review and force Gerrit to unpack over a sensitive location by visiting via the web ui to look at the review?Darragh
According to the relevant commit: https://eclipse.googlesource.com/jgit/jgit/+/0d908de53f5623223791dca59a1464d4cf2e3a51
ZipSlip is not a jgit vulnerability, but a maven one.
The commit updates a few Maven plugins that were fixed to prevent the vulnerability, but that is not to say the vulnerability is limited only to Maven.
On Tue, Jun 19, 2018 at 8:12 PM Darragh Bailey <daragh...@gmail.com> wrote:
So for the moment inconclusive? or just difficult to prove it's absolutely not vulnerable?My initial thoughts were it would be unlikely, but there were really only two areas I could think of that might need confirmation. JGit handing of pack files (not even sure if it's possible for a pack file to suffer from the same issue) and plugin install, and the latter required admin privs anyway so not too much of a worry.If this affected git I would have expected to have heard something related to zip-slip and specially crafted pack files, so I'm presuming it's relatively unlikely, but would be good to get confirmation from somewhere that jgit is definitely not impacted. But I'll take this part of the question to the jgit team.It certain sounds like there isn't anywhere in Gerrit that is obviously an issue, so thanks and will follow up on the jgit part separately.There was a previous discussion on this list [1] where it was stated that jgit is not vulnerable, although there was another issue [2] related to submodule names.
--