HSEC-2023-0011

See a problem?
Import Source
https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0011.json
JSON Data
https://api.osv.dev/v1/vulns/HSEC-2023-0011
Aliases
Related
Published
2023-07-25T13:25:42Z
Modified
2023-12-13T13:01:13.109961Z
Summary
git-annex GPG decryption attack via compromised remote
Details

git-annex GPG decryption attack via compromised remote

A malicious server for a special remote could trick git-annex into decrypting a file that was encrypted to the user's GPG key. This attack could be used to expose encrypted data that was never stored in git-annex. Daniel Dent discovered this attack in collaboration with Joey Hess.

To perform this attack the attacker needs control of a server hosting an encrypted special remote used by the victim's git-annex repository. The attacker uses git annex addurl --relaxed with an innocuous URL, and waits for the user's git-annex to download it, and upload an (encrypted) copy to the special remote they also control. At some later point, when the user downloads the content from the special remote, the attacker instead sends them the content of the GPG-encrypted file that they wish to have decrypted in its place (which may have been exfiltrated from the victim's system via the attack described in HSEC-2023-0010 / CVE-2018-10857, or acquired by other means). Finally, the attacker drops their own copy of the original innocuous URL, and waits for the victim git-annex to send them the accidentially decrypted file.

The issue was fixed by making git-annex refuse to download encrypted content from special remotes, unless it knows the hash of the expected content. When the attacker provides some other GPG-encrypted content, it will fail the hash check and be discarded.

References

Affected packages

Hackage / git-annex

Package

Name
git-annex
Purl
pkg:hackage/git-annex

Severity

  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.20110417
Fixed
6.20180626

Affected versions

3.*

3.20110702
3.20110702.2
3.20110705
3.20110707
3.20110819
3.20110902
3.20110906
3.20110915
3.20110928
3.20111011
3.20111122
3.20111203
3.20111211
3.20111231
3.20120113
3.20120115
3.20120116
3.20120123
3.20120227
3.20120229
3.20120230
3.20120309
3.20120315
3.20120405
3.20120406
3.20120418
3.20120430
3.20120511
3.20120522
3.20120605
3.20120611
3.20120614
3.20120615
3.20120624
3.20120629
3.20120721
3.20120807
3.20120825
3.20120924
3.20121001
3.20121009
3.20121010
3.20121016
3.20121017
3.20121112
3.20121126
3.20121127
3.20121127.1
3.20121211
3.20130102
3.20130105
3.20130107
3.20130114
3.20130124
3.20130207
3.20130216.1

4.*

4.20130227
4.20130314
4.20130323
4.20130405
4.20130417
4.20130501
4.20130501.1
4.20130516
4.20130521
4.20130521.1
4.20130521.2
4.20130601
4.20130627
4.20130709
4.20130723
4.20130802
4.20130815
4.20130827
4.20130909
4.20130920
4.20130927
4.20131002
4.20131024
4.20131101
4.20131106

5.*

5.20131118
5.20131120
5.20131127
5.20131130
5.20131213
5.20131221
5.20131230
5.20140107
5.20140108
5.20140116
5.20140127
5.20140129
5.20140210
5.20140221
5.20140227
5.20140306
5.20140320
5.20140402
5.20140405
5.20140412
5.20140421
5.20140517
5.20140529
5.20140606
5.20140613
5.20140707
5.20140709
5.20140717
5.20140817
5.20140831
5.20140915
5.20140919
5.20140926
5.20140927
5.20141013
5.20141024
5.20141125
5.20141203
5.20141219
5.20141231
5.20150113
5.20150205
5.20150219
5.20150317
5.20150327
5.20150406
5.20150406.1
5.20150409
5.20150420
5.20150508
5.20150508.1
5.20150522
5.20150528
5.20150617
5.20150710
5.20150727
5.20150731
5.20150812
5.20150824
5.20150916
5.20150930
5.20151019
5.20151102
5.20151102.1
5.20151116
5.20151208
5.20151218

6.*

6.20160114
6.20160126
6.20160211
6.20160229
6.20160318
6.20160412
6.20160418
6.20160419
6.20160511
6.20160527
6.20160613
6.20160619
6.20160808
6.20160907
6.20160923
6.20161012
6.20161027
6.20161031
6.20161111
6.20161118
6.20161210
6.20170101
6.20170214
6.20170301
6.20170301.1
6.20170321
6.20170510
6.20170519
6.20170520
6.20170818
6.20170925
6.20171003
6.20171018
6.20171026
6.20171109
6.20171124
6.20171214
6.20180112
6.20180227
6.20180316
6.20180409
6.20180427
6.20180509
6.20180529