SSH Signature verification does not consider the namespace

SSH Signature verification for commits does not check for the git namespace and thus allows for cross protocol attacks.

See also:

https://github.com/openssh/openssh-portable/blob/b7ffbb17e37f59249c31f1ff59d6c5d80888f689/PROTOCOL.sshsig#L53-L57
https://gitlab.com/gitlab-org/git/-/blob/main/gpg-interface.c#L540

Assignee Loading

Time tracking Loading