'Re: [oss-security] Advisory: Git cvsserver OS Command Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Advisory: Git cvsserver OS Command Injection
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-09-28 14:53:02
Message-ID: 20170928145302.smwgiqa4n76cjp75 () eldamar ! local
[Download RAW message or body]

Hi

On Tue, Sep 26, 2017 at 11:03:49AM +0200, joernchen wrote:
> Hi,
> 
> 
> see attached advisory.
> 
> Cheers,
> 
> joernchen
> -- 
> joernchen ~ Phenoelit
> <joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344
> http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

> Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--->
> 
> [ Authors ]
>         joernchen       <joernchen () phenoelit de>
> 
>         Phenoelit Group (http://www.phenoelit.de)
> 
> [ Affected Products ]
>         Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
>         https://git-scm.com
> 
> [ Vendor communication ]
>         2017-09-08 Sent vulnerability details to the git-security list
>         2017-09-09 Acknowledgement of the issue, git maintainers ask if
>                    a patch could be provided
>         2017-09-10 Patch is provided
>         2017-09-11 Further backtick operations are patched by the git
>                    maintainers, corrections on the provided patch
>         2017-09-11 Revised patch is sent out
>         2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
>                    invocation from `git-shell`
>         2017-09-22 Draft release for git 2.14.2 is created including the
>                    fixes
>         2017-09-26 Release of this advisory, release of fixed git versions
> 
> [ Description ]
> 	The `git` subcommand `cvsserver` is a Perl script which makes excessive
> 	use of the backtick operator to invoke `git`. Unfortunately user input
>         is used within some of those invocations.
> 
> 
> 	It should be noted, that `git-cvsserver` will be invoked by `git-shell`
>         by default without further configuration.

FTR, this has been assigned CVE-2017-14867.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic