Fossil

View Ticket
Login
Home Timeline Docs Branches Tickets Wiki DownloadMore...
Edit New Ticket Plaintext
2020-08-17
19:46 Closed ticket [980a72dedd]: RCE using a fake _FOSSIL_ file in a repository plus 4 other changes artifact: ef08ac1ee6 user: stephan
17:26 New ticket [17d00c20dd] Malformed manifest can crash manifest_parse(). artifact: 3e4261445e user: stephan
15:54 Ticket [980a72dedd] RCE using a fake _FOSSIL_ file in a repository status still Open with 5 other changes artifact: 46827fa143 user: stephan
15:17
Part 1 of ticket [980a72dedd]: efficient check for determining whether a filename ends with a checkout db name. check-in: ddd1273ea2 user: stephan tags: reject-ckout-db
08:44 New ticket [980a72dedd] RCE using a fake _FOSSIL_ file in a repository. artifact: ba7c34f705 user: drh
Ticket Hash: 980a72deddbce75f19a0ee8cde2466327d73c8d1
Title: RCE using a fake _FOSSIL_ file in a repository
Status: Closed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Resolution: Fixed
Last Modified: 2020-08-17 19:46:35
5.63 years ago 		Created: 2020-08-17 08:44:27
5.63 years ago
Version Found In:
User Comments:
drh added on 2020-08-17 08:44:27:

Fossil does not allow a file named "_FOSSIL_" to be checked in, but it does allow it to be checked out. A malicious user with check-in privilege can create a rogue check-in that includes a new "_FOSSIL_" file that contains harmful values for settings such as "last-sync-url" and "ssh-command". When a victim updates to that rogue check-in and then tries to run some other command that involves auto-sync, the malicious "ssh-command" is run resulting in RCE on the victims machine.

This problem was discovered by Max Justicz

stephan added on 2020-08-17 15:54:17:

See also: /forumpost/b0a6ea6a1e

stephan added on 2020-08-17 19:46:35:

Fixed in 4ed1a294ff5b90e2. As discussed, the names _FOSSIL_ and .fslckout, but not the long-since-unused original name of .fos, are now outright prohibited by manifest_parse(), as are either of those names with any of the suffixes (-wal, -shm, and -journal). The prohibition applies to the whole tree, not just the top directory.

This page was generated in about 0.014s by Fossil 2.26 [1205ec86cb] 2025-04-30 16:57:32