[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Advisory: Git cvsserver OS Command Injection
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2017-09-28 14:53:02
Message-ID: 20170928145302.smwgiqa4n76cjp75 () eldamar ! local
[Download RAW message or body]
Hi
On Tue, Sep 26, 2017 at 11:03:49AM +0200, joernchen wrote:
> Hi,
>
>
> see attached advisory.
>
> Cheers,
>
> joernchen
> --
> joernchen ~ Phenoelit
> <joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
> http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
> Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--->
>
> [ Authors ]
> joernchen <joernchen () phenoelit de>
>
> Phenoelit Group (http://www.phenoelit.de)
>
> [ Affected Products ]
> Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
> https://git-scm.com
>
> [ Vendor communication ]
> 2017-09-08 Sent vulnerability details to the git-security list
> 2017-09-09 Acknowledgement of the issue, git maintainers ask if
> a patch could be provided
> 2017-09-10 Patch is provided
> 2017-09-11 Further backtick operations are patched by the git
> maintainers, corrections on the provided patch
> 2017-09-11 Revised patch is sent out
> 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
> invocation from `git-shell`
> 2017-09-22 Draft release for git 2.14.2 is created including the
> fixes
> 2017-09-26 Release of this advisory, release of fixed git versions
>
> [ Description ]
> The `git` subcommand `cvsserver` is a Perl script which makes excessive
> use of the backtick operator to invoke `git`. Unfortunately user input
> is used within some of those invocations.
>
>
> It should be noted, that `git-cvsserver` will be invoked by `git-shell`
> by default without further configuration.
FTR, this has been assigned CVE-2017-14867.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic