Re: Advisory: Git cvsserver OS Command Injection

[Salvatore Bonaccorso <carnil () debian org>]

Hi

On Tue, Sep 26, 2017 at 11:03:49AM +0200, joernchen wrote:
> Hi,
>
>
> see attached advisory.
>
> Cheers,
>
> joernchen
> -- 
> joernchen ~ Phenoelit
> <joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344
> http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

> Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--->
>
> [ Authors ]
>         joernchen       <joernchen () phenoelit de>
>
>         Phenoelit Group (http://www.phenoelit.de)
>
> [ Affected Products ]
>         Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
>         https://git-scm.com
>
> [ Vendor communication ]
>         2017-09-08 Sent vulnerability details to the git-security list
>         2017-09-09 Acknowledgement of the issue, git maintainers ask if
>                    a patch could be provided
>         2017-09-10 Patch is provided
>         2017-09-11 Further backtick operations are patched by the git
>                    maintainers, corrections on the provided patch
>         2017-09-11 Revised patch is sent out
>         2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
>                    invocation from `git-shell`
>         2017-09-22 Draft release for git 2.14.2 is created including the
>                    fixes
>         2017-09-26 Release of this advisory, release of fixed git versions
>
> [ Description ]
>       The `git` subcommand `cvsserver` is a Perl script which makes excessive
>       use of the backtick operator to invoke `git`. Unfortunately user input
>         is used within some of those invocations.
>
>
>       It should be noted, that `git-cvsserver` will be invoked by `git-shell`
>         by default without further configuration.

FTR, this has been assigned CVE-2017-14867.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867

Regards,
Salvatore