[Bug 1710979] Re: bzr+ssh URLs don't strip SSH options
Launchpad Bug Tracker
1710979 at bugs.launchpad.net
Tue Sep 5 23:57:43 UTC 2017
This bug was fixed in the package bzr - 2.7.0-2ubuntu3.1
---------------
bzr (2.7.0-2ubuntu3.1) xenial-security; urgency=medium
* SECURITY UPDATE: Possible arbitrary code execution on clients
through malicious bzr+ssh URLs
- debian/patches/24_ssh_hostnames-lp1710979: ensure that host
arguments to ssh cannot be treated as ssh options.
- LP: #1710979
-- Steve Beattie <sbeattie at ubuntu.com> Mon, 28 Aug 2017 22:04:57 -0700
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/1710979
Title:
bzr+ssh URLs don't strip SSH options
Status in Breezy:
Fix Released
Status in Bazaar:
Confirmed
Status in bzr package in Ubuntu:
Fix Released
Bug description:
Bazaar suffers from the same bug that affects Mercuril and Git:
A hostname that starts with a - is passed on verbatim to the ssh
command, which means that the host bit in the URL can be used to set
arbitrary SSH options.
E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path"
Presumably this only affects users that are using the Subprocess SSH
vendor, and not those using the Paramiko SSH Vendor.
See e.g. https://security-tracker.debian.org/tracker/CVE-2017-1000117
for the Git advisory.
To manage notifications about this bug go to:
https://bugs.launchpad.net/brz/+bug/1710979/+subscriptions
More information about the foundations-bugs
mailing list