[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
It looks like this was assigned to CVE-2017-14867 but Launchpad (wonderfully) won't let me reflect that here. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14867 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
Attached is a debdiff for Artful applicable to 2.14.1-1ubuntu3. I tested this locally and can find no regressions. I'd like a review from the security team (and an upload from someone who has access to, I'm only a MOTU) before I prepare the patches for the other releases to make sure the format is OK so I can just backport this upload. Thanks! ** Patch added: "1-2.14.1-1ubuntu4.debdiff" https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+attachment/4958278/+files/1-2.14.1-1ubuntu4.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
** Changed in: git (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
** Bug watch added: Debian Bug tracker #876854 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854 ** Also affects: git (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
So it looks like we should be able to cherry pick the patches with little to no issue on Zesty and Artful, but it seems some backporting *might* be required on Trusty and Xenial. ** Description changed: From oss-security[1]: [ Authors ] - joernchen + joernchen - Phenoelit Group (http://www.phenoelit.de) + Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] - Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) - https://git-scm.com + Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) + https://git-scm.com [ Vendor communication ] - 2017-09-08 Sent vulnerability details to the git-security list - 2017-09-09 Acknowledgement of the issue, git maintainers ask if -a patch could be provided - 2017-09-10 Patch is provided - 2017-09-11 Further backtick operations are patched by the git -maintainers, corrections on the provided patch - 2017-09-11 Revised patch is sent out - 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default -invocation from `git-shell` - 2017-09-22 Draft release for git 2.14.2 is created including the -fixes - 2017-09-26 Release of this advisory, release of fixed git versions + 2017-09-08 Sent vulnerability details to the git-security list + 2017-09-09 Acknowledgement of the issue, git maintainers ask if + a patch could be provided + 2017-09-10 Patch is provided + 2017-09-11 Further backtick operations are patched by the git + maintainers, corrections on the provided patch + 2017-09-11 Revised patch is sent out + 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default + invocation from `git-shell` + 2017-09-22 Draft release for git 2.14.2 is created including the + fixes + 2017-09-26 Release of this advisory, release of fixed git versions [ Description ] - The `git` subcommand `cvsserver` is a Perl script which makes excessive - use of the backtick operator to invoke `git`. Unfortunately user input - is used within some of those invocations. + The `git` subcommand `cvsserver` is a Perl script which makes excessive + use of the backtick operator to invoke `git`. Unfortunately user input + is used within some of those invocations. - - It should be noted, that `git-cvsserver` will be invoked by `git-shell` - by default without further configuration. + It should be noted, that `git-cvsserver` will be invoked by `git-shell` + by default without further configuration. [ Example ] - Below a example of a OS Command Injection within `git-cvsserver` - triggered via `git-shell`: + Below a example of a OS Command Injection within `git-cvsserver` + triggered via `git-shell`: - =8<= + =8<= [git@...t ~]$ cat .ssh/authorized_keys command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa B3NzaC [joernchen@...t ~]$ ssh git@...alhost cvs server Root /tmp E /tmp/ does not seem to be a valid GIT repository E error 1 /tmp/ is not a valid repository Directory . `id>foo` add fatal: Not a git repository: '/tmp/' Invalid module '`id>foo`' at /usr/lib/git-core/git-cvsserver line 3807, line 4. [joernchen@...t ~]$ [git@...t ~]$ cat foo uid=619(git) gid=618(git) groups=618(git) [git@...t ~]$ - =>8= + =>8= [ Solution ] - Upgrade to one of the following git versions: - * 2.14.2 - * 2.13.6 - * 2.12.5 - * 2.11.4 - * 2.10.5 + Upgrade to one of the following git versions: + * 2.14.2 + * 2.13.6 + * 2.12.5 + * 2.11.4 + * 2.10.5 [ end of file ] --- No CVE has been assigned yet, but a fix has been released upstream and as seen above, the fixes are already in Debian. + The following upstream commits claim to fix the issue: + - 985f59c042320ddf0a506e553d5eef9689ef4c32 + - 31add46823fe926e85efbfeab865e366018b33b4 + - 6d6e2f812d366789fb6f4f9ea8decb4777f6f862 + - dca89d4e56dde4b9b48d6f2ec093886a6fa46575 + [1] http://www.openwall.com/lists/oss-security/2017/09/26/9 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
Security Team: Debian marks this as a high importance vulnerability, I'll follow suit and change the importance here, please feel free to mark it otherwise. Otherwise, I plan on working on a fix for this, I'll put something here within an hour or two. Thanks! ** Changed in: git (Ubuntu Trusty) Importance: Undecided => High ** Changed in: git (Ubuntu Xenial) Importance: Undecided => High ** Changed in: git (Ubuntu Artful) Status: New => In Progress ** Changed in: git (Ubuntu Trusty) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: git (Ubuntu Zesty) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: git (Ubuntu Xenial) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: git (Ubuntu Artful) Assignee: (unassigned) => Simon Quigley (tsimonq2) ** Changed in: git (Ubuntu Zesty) Importance: Undecided => High ** Changed in: git (Ubuntu Artful) Importance: Undecided => High ** Changed in: git (Ubuntu Zesty) Status: New => In Progress ** Changed in: git (Ubuntu Xenial) Status: New => In Progress ** Changed in: git (Ubuntu Trusty) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
** Also affects: git (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: git (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: git (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: git (Ubuntu Zesty) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs