Possible bug reports for git-credential-libsecret

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Git Development team

Hi.
Recently, I noted that the vulnerability patch (CVE-2020-5260) for
"git credential" is not applied in the "git-credential-libsecret"
program (./contrib/credential/libsecret/git-credential-libsecret.c).

Actually, I'm not sure whether "git-credential-libsecret" is actually
used. But it can be potentially intimidating, thus it would be good to
apply the same patch of "git credential" to
"git-credential-libsecret".

- Patch for CVE-2020-5260
   * https://github.com/git/git/commit/9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b

- Similar but not patched code in "git-credential-libsecret"
   * https://github.com/git/git/blob/master/contrib/credential/libsecret/git-credential-libsecret.c#L306-L311
   * When I put the malicious URL in the test code shown in the
CVE-2020-5260 patch into "git-credential-libsecret", it does not
terminate.

Could you please check whether this is an actual bug?

Thank you.
Best regards,
Seunghoon Woo

-- 

Best regards,
Seunghoon Woo
Korea University Dept. of Computer Science and Engineering
Computer & Communication Security Lab.
seunghoonwoo@xxxxxxxxxxx
(+82)10-8147-9308



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux