oss-sec mailing list archives
Re: Advisory: Git cvsserver OS Command Injection
From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 28 Sep 2017 16:53:02 +0200
Hi On Tue, Sep 26, 2017 at 11:03:49AM +0200, joernchen wrote:
Hi, see attached advisory. Cheers, joernchen -- joernchen ~ Phenoelit <joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++---> [ Authors ] joernchen <joernchen () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) https://git-scm.com [ Vendor communication ] 2017-09-08 Sent vulnerability details to the git-security list 2017-09-09 Acknowledgement of the issue, git maintainers ask if a patch could be provided 2017-09-10 Patch is provided 2017-09-11 Further backtick operations are patched by the git maintainers, corrections on the provided patch 2017-09-11 Revised patch is sent out 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default invocation from `git-shell` 2017-09-22 Draft release for git 2.14.2 is created including the fixes 2017-09-26 Release of this advisory, release of fixed git versions [ Description ] The `git` subcommand `cvsserver` is a Perl script which makes excessive use of the backtick operator to invoke `git`. Unfortunately user input is used within some of those invocations. It should be noted, that `git-cvsserver` will be invoked by `git-shell` by default without further configuration.
FTR, this has been assigned CVE-2017-14867. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867 Regards, Salvatore
Current thread:
- Advisory: Git cvsserver OS Command Injection joernchen (Sep 26)
- Re: Advisory: Git cvsserver OS Command Injection Salvatore Bonaccorso (Sep 28)