[blfs-book] [BLFS Trac] #9598: git-2.14.1

Thu, 10 Aug 2017 13:48:06 -0700 

#9598: git-2.14.1
-------------------------+-------------------------
 Reporter:  ken@…        |      Owner:  blfs-book@…
     Type:  enhancement  |     Status:  new
 Priority:  high         |  Milestone:  8.1
Component:  BOOK         |    Version:  SVN
 Severity:  normal       |   Keywords:
-------------------------+-------------------------
 From the release announcement copied to lkml:
 {{{

 }}}
 The latest maintenance release Git v2.14.1 is now available at the
 usual places, together with releases for older maintenance track for
 the same issue: v2.7.6, v2.8.6, v2.9.5, v2.10.4, v2.11.3, v2.12.4,
 and v2.13.5.

 These contain a security fix for CVE-2017-1000117, and are released
 in coordination with Subversion and Mercurial that share a similar
 issue.  CVE-2017-9800 and CVE-2017-1000116 are assigned to these
 systems, respectively, for issues similar to it that are now
 addressed in their part of this coordinated release.

 [...]
 A malicious third-party can give a crafted "ssh://..." URL to an
 unsuspecting victim, and an attempt to visit the URL can result in
 any program that exists on the victim's machine being executed.
 Such a URL could be placed in the .gitmodules file of a malicious
 project, and an unsuspecting victim could be tricked into running
 "git clone --recurse-submodules" to trigger the vulnerability.

 Credits to find and fix the issue go to Brian Neel at GitLab, Joern
 Schneeweisz of Recurity Labs and Jeff King at GitHub.

  * A "ssh://..." URL can result in a "ssh" command line with a
    hostname that begins with a dash "-", which would cause the "ssh"
    command to instead (mis)treat it as an option.  This is now
    prevented by forbidding such a hostname (which should not impact
    any real-world usage).

  * Similarly, when GIT_PROXY_COMMAND is configured, the command is
    run with host and port that are parsed out from "ssh://..." URL;
    a poorly written GIT_PROXY_COMMAND could be tricked into treating
    a string that begins with a dash "-" as an option.  This is now
    prevented by forbidding such a hostname and port number (again,
    which should not impact any real-world usage).

  * In the same spirit, a repository name that begins with a dash "-"
    is also forbidden now.

--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/9598>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to