So it looks like we should be able to cherry pick the patches with little to no issue on Zesty and Artful, but it seems some backporting *might* be required on Trusty and Xenial.
** Description changed: From oss-security[1]: [ Authors ] - joernchen <joernchen () phenoelit de> + joernchen <joernchen () phenoelit de> - Phenoelit Group (http://www.phenoelit.de) + Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] - Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) - https://git-scm.com + Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) + https://git-scm.com [ Vendor communication ] - 2017-09-08 Sent vulnerability details to the git-security list - 2017-09-09 Acknowledgement of the issue, git maintainers ask if - a patch could be provided - 2017-09-10 Patch is provided - 2017-09-11 Further backtick operations are patched by the git - maintainers, corrections on the provided patch - 2017-09-11 Revised patch is sent out - 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default - invocation from `git-shell` - 2017-09-22 Draft release for git 2.14.2 is created including the - fixes - 2017-09-26 Release of this advisory, release of fixed git versions + 2017-09-08 Sent vulnerability details to the git-security list + 2017-09-09 Acknowledgement of the issue, git maintainers ask if + a patch could be provided + 2017-09-10 Patch is provided + 2017-09-11 Further backtick operations are patched by the git + maintainers, corrections on the provided patch + 2017-09-11 Revised patch is sent out + 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default + invocation from `git-shell` + 2017-09-22 Draft release for git 2.14.2 is created including the + fixes + 2017-09-26 Release of this advisory, release of fixed git versions [ Description ] - The `git` subcommand `cvsserver` is a Perl script which makes excessive - use of the backtick operator to invoke `git`. Unfortunately user input - is used within some of those invocations. + The `git` subcommand `cvsserver` is a Perl script which makes excessive + use of the backtick operator to invoke `git`. Unfortunately user input + is used within some of those invocations. - - It should be noted, that `git-cvsserver` will be invoked by `git-shell` - by default without further configuration. + It should be noted, that `git-cvsserver` will be invoked by `git-shell` + by default without further configuration. [ Example ] - Below a example of a OS Command Injection within `git-cvsserver` - triggered via `git-shell`: + Below a example of a OS Command Injection within `git-cvsserver` + triggered via `git-shell`: - =====8<===== + =====8<===== [[email protected] ~]$ cat .ssh/authorized_keys command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC .... [[email protected] ~]$ ssh [email protected] cvs server Root /tmp E /tmp/ does not seem to be a valid GIT repository E error 1 /tmp/ is not a valid repository Directory . `id>foooooo` add fatal: Not a git repository: '/tmp/' Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4. [[email protected] ~]$ [[email protected] ~]$ cat foooooo uid=619(git) gid=618(git) groups=618(git) [[email protected] ~]$ - =====>8===== + =====>8===== [ Solution ] - Upgrade to one of the following git versions: - * 2.14.2 - * 2.13.6 - * 2.12.5 - * 2.11.4 - * 2.10.5 + Upgrade to one of the following git versions: + * 2.14.2 + * 2.13.6 + * 2.12.5 + * 2.11.4 + * 2.10.5 [ end of file ] ------------------- No CVE has been assigned yet, but a fix has been released upstream and as seen above, the fixes are already in Debian. + The following upstream commits claim to fix the issue: + - 985f59c042320ddf0a506e553d5eef9689ef4c32 + - 31add46823fe926e85efbfeab865e366018b33b4 + - 6d6e2f812d366789fb6f4f9ea8decb4777f6f862 + - dca89d4e56dde4b9b48d6f2ec093886a6fa46575 + [1] http://www.openwall.com/lists/oss-security/2017/09/26/9 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1719740 Title: [DSA 3984-1] Git cvsserver OS Command Injection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
