dulwich happily clones a repository which contains commit with invalid paths, say .git/hooks/pre-commit, and thus allowing execution of code on subsequent commits. ----cut---------cut---------cut---------cut---------cut---------cut----- dummy () sid:~$ python PoC.py dummy () sid:~$ dulwich clone PoC.git foo Counting objects: 5, done. Compressing objects: 100% (2/2), done. Total 5 (delta 0), reused 5 (delta 0) Checking out HEADdummy () sid:~$ cd foo/ dummy () sid:~/foo$ git commit -m "test" --allow-empty You just got cracked! (not really but you could have been!) [master 9588153] test dummy () sid:~/foo$ ls -l /tmp/cracked -rw-r--r-- 1 dummy dummy 0 Mar 21 10:24 /tmp/cracked dummy () sid:~/foo$ ----cut---------cut---------cut---------cut---------cut---------cut----- Upstream (Jelmer Vernooij) has fixed this with commit https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176
Created python-dulwich tracking bugs for this issue: Affects: fedora-all [bug 1204890] Affects: epel-all [bug 1204891]
python-dulwich-0.10.0-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
python-dulwich-0.10.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
python-dulwich-0.10.0-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
python-dulwich-0.10.0-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-dulwich-0.10.0-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.