CVE-2020-5260: Git: malicious URLs may cause Git to present stored credentials to the wrong server

[Solar Designer <solar () openwall com>]

Hi,

Taylor Blau brought this to the distros list a week ago (thanks!), but
unfortunately failed to follow the distros list policy (despite of being
specifically informed of that requirement by distros list members,
twice) to post the information to oss-security on the public disclosure
date/time.  So as list admin, after a delay of more than a day, I am
taking over and do this (being unhappy that I have to do it for others).

Quoting Taylor's original notification to distros:

---
The addressed issue is:

 * CVE-2020-5260:
   With a crafted URL that contains a newline in it, the credential
   helper machinery can be fooled to give credential information for a
   wrong host.  The attack has been made impossible by forbidding a
   newline character in any value passed via the credential protocol.

Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.
---

I've attached Taylor's original message (sans its large attachment) to
this posting.

Git security releases were made and a security advisory published
yesterday:

https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q

I've also attached a text export from the above URL to this posting.

(We also have a policy in here that most essential content must be
included in the posting itself rather than only linked to, so that the
posting remains valuable even when the external resources are gone.)

Alexander

Attachment: distros-ttaylorr-20200407.txt
Description:

Attachment: GHSA-qm7j-c969-7j4q.txt
Description: