Message ID | 20200420224310.9989-1-carenas@gmail.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | osxkeychain: restrict queries to requests with a valid host | expand |
Carlo Marcelo Arenas Belón <carenas@gmail.com> writes: > make sure that requests to this helper to get credentials return early if > there is no host ord the host is empty. > > Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com> > --- > contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > index bcd3f575a3..2264a88c41 100644 > --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c > +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > @@ -69,6 +69,12 @@ static void find_internet_password(void) > UInt32 len; > SecKeychainItemRef item; > > + /* > + * Require at valid host to fix CVE-2020-11008 > + */ Just to clarify, you do not need this patch to "fix" it, as long as you are running up-to-date Git, right? In other words, this is more like a belt-and-suspender protection, isn't it? > + if (!host || !*host) > + return; > + > if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item)) > return;
On Mon, Apr 20, 2020 at 4:09 PM Junio C Hamano <gitster@pobox.com> wrote: > > Just to clarify, you do not need this patch to "fix" it, as long as > you are running up-to-date Git, right? In other words, this is more > like a belt-and-suspender protection, isn't it? the fixes in master do most of the work, but the way the underlying macOS function used works, will still randomly select a credential for cases where host="" Carlo
Carlo Arenas <carenas@gmail.com> writes: > On Mon, Apr 20, 2020 at 4:09 PM Junio C Hamano <gitster@pobox.com> wrote: >> >> Just to clarify, you do not need this patch to "fix" it, as long as >> you are running up-to-date Git, right? In other words, this is more >> like a belt-and-suspender protection, isn't it? > > the fixes in master do most of the work, but the way the underlying > macOS function > used works, will still randomly select a credential for cases where host="" That is like saying "most of the work but as a protection it does not work at all and still allows a random stuff to be chosen", no?
Hi! Carlo Marcelo Arenas Belón wrote: > make sure that requests to this helper to get credentials return early if > there is no host ord the host is empty. > > Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com> > --- > contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++ > 1 file changed, 6 insertions(+) We had mentioned while preparing v2.26.2 that after that release hardening the git side of the credential helper protocol, we should harden the helper side. Thanks for getting it started. [...] > diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > index bcd3f575a3..2264a88c41 100644 > --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c > +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > @@ -69,6 +69,12 @@ static void find_internet_password(void) > UInt32 len; > SecKeychainItemRef item; > > + /* > + * Require at valid host to fix CVE-2020-11008 > + */ > + if (!host || !*host) > + return; While we're here, is there any validation we should do for any of the other parameters to SecKeychainFindInternetPassword (username, path, port, protocol)? Also, should we check for duplicate fields as in CVE-2020-5260? > + > if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item)) > return; Thanks, Jonathan
Carlo Marcelo Arenas Belón <carenas@gmail.com> writes: > make sure that requests to this helper to get credentials return early if > there is no host ord the host is empty. > > Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com> > --- > contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > index bcd3f575a3..2264a88c41 100644 > --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c > +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > @@ -69,6 +69,12 @@ static void find_internet_password(void) > UInt32 len; > SecKeychainItemRef item; > > + /* > + * Require at valid host to fix CVE-2020-11008 > + */ > + if (!host || !*host) > + return; > + > if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item)) > return; > > -- > 2.26.2.111.gbff22aa583 > We're currently using this patch downstream (removed the check for !*host after updates to this file), but I was wondering whether this change should also be in main. It seems like the discussion around this stalled and there was no definitive conclusion, but the change also at worst does nothing and could possibly be useful -- I see other functions where we're checking for the existence of "host". I wasn't around when all the changes around this CVE were happening so I'm not exactly sure how useful this patch this and whether we can get rid of it or not.
On Mon, Apr 22, 2024 at 07:48:12PM +0000, Calvin Wan wrote: > > diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > > index bcd3f575a3..2264a88c41 100644 > > --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c > > +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c > > @@ -69,6 +69,12 @@ static void find_internet_password(void) > > UInt32 len; > > SecKeychainItemRef item; > > > > + /* > > + * Require at valid host to fix CVE-2020-11008 > > + */ > > + if (!host || !*host) > > + return; > > + > > if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item)) > > return; > > > > -- > > 2.26.2.111.gbff22aa583 > > > > We're currently using this patch downstream (removed the check for > !*host after updates to this file), but I was wondering whether this > change should also be in main. It seems like the discussion around this > stalled and there was no definitive conclusion, but the change also at > worst does nothing and could possibly be useful -- I see other functions > where we're checking for the existence of "host". I wasn't around when > all the changes around this CVE were happening so I'm not exactly sure > how useful this patch this and whether we can get rid of it or not. I think this is mostly redundant with the protection on the sending side from 8ba8ed568e (credential: refuse to operate when missing host or protocol, 2020-04-18). Locking down the individual helpers more might be useful if they are run as independent programs (e.g., you could run "osxkeychain" manually and feed it input with a host, which would make its matching quite liberal). But since there isn't a way to trigger it in a normal workflow with untrusted input, I don't think there's much of a security implication. Looking at the patch above, I think it may cause issues with protocols that do not have a host (like "cert" ones we use for storing client-side certificate passphrases). But I'm not sure that osxkeychain can handle those anyway. I'm also not sure we didn't break that in 8ba8ed568e. That patch allows an empty string for the host, and the code in http.c to set up the credential struct for the cert uses an empty string. But doing a trivial test seems broken: $ touch foo.cert $ git -c http.sslcert=foo.cert ls-remote ... fatal: refusing to work with credential missing host field Curiously if you feed it a real cert and matching key, then curl itself prompts for the passphrase! And if you provide the correct one, then it does not need to check credential config/helpers, and it works. If you provide a bad one, we hit that same message trying to "reject" it (and I think that is what happens with the fake cert; curl likewise complains and we try to erase the passphrase before trying again). But that also means we have no opportunity to prompt/store ourselves, if curl is handling it. If you set GIT_SSL_CERT_PASSWORD_PROTECTED, then we do our own prompt ahead of time (and this correctly sets the hostname to the empty string). So the whole cert auth handling is kind of wonky, and it's not clear to me that anybody actually uses it, or what's supposed to work and what isn't. That's all sort of a tangent to your question, of course. ;) It is interesting that the fix we did in 8ba8ed568e still allows empty string hostnames, as I think such a hostname would cause osxkeychain to still liberally match its contents. So in that case maybe the patch above is doing something? I dunno. I think the real protection is avoiding either a NULL or empty-string hostname based on untrusted input in the first place. -Peff
diff --git a/contrib/credential/osxkeychain/git-credential-osxkeychain.c b/contrib/credential/osxkeychain/git-credential-osxkeychain.c index bcd3f575a3..2264a88c41 100644 --- a/contrib/credential/osxkeychain/git-credential-osxkeychain.c +++ b/contrib/credential/osxkeychain/git-credential-osxkeychain.c @@ -69,6 +69,12 @@ static void find_internet_password(void) UInt32 len; SecKeychainItemRef item; + /* + * Require at valid host to fix CVE-2020-11008 + */ + if (!host || !*host) + return; + if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item)) return;
make sure that requests to this helper to get credentials return early if there is no host ord the host is empty. Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com> --- contrib/credential/osxkeychain/git-credential-osxkeychain.c | 6 ++++++ 1 file changed, 6 insertions(+)