[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection
Simon Quigley
tsimonq2 at ubuntu.com
Tue Sep 26 21:39:09 UTC 2017
So it looks like we should be able to cherry pick the patches with
little to no issue on Zesty and Artful, but it seems some backporting
*might* be required on Trusty and Xenial.
** Description changed:
From oss-security[1]:
[ Authors ]
- joernchen <joernchen () phenoelit de>
+ joernchen <joernchen () phenoelit de>
- Phenoelit Group (http://www.phenoelit.de)
+ Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
- Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
- https://git-scm.com
+ Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
+ https://git-scm.com
[ Vendor communication ]
- 2017-09-08 Sent vulnerability details to the git-security list
- 2017-09-09 Acknowledgement of the issue, git maintainers ask if
- a patch could be provided
- 2017-09-10 Patch is provided
- 2017-09-11 Further backtick operations are patched by the git
- maintainers, corrections on the provided patch
- 2017-09-11 Revised patch is sent out
- 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
- invocation from `git-shell`
- 2017-09-22 Draft release for git 2.14.2 is created including the
- fixes
- 2017-09-26 Release of this advisory, release of fixed git versions
+ 2017-09-08 Sent vulnerability details to the git-security list
+ 2017-09-09 Acknowledgement of the issue, git maintainers ask if
+ a patch could be provided
+ 2017-09-10 Patch is provided
+ 2017-09-11 Further backtick operations are patched by the git
+ maintainers, corrections on the provided patch
+ 2017-09-11 Revised patch is sent out
+ 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
+ invocation from `git-shell`
+ 2017-09-22 Draft release for git 2.14.2 is created including the
+ fixes
+ 2017-09-26 Release of this advisory, release of fixed git versions
[ Description ]
- The `git` subcommand `cvsserver` is a Perl script which makes excessive
- use of the backtick operator to invoke `git`. Unfortunately user input
- is used within some of those invocations.
+ The `git` subcommand `cvsserver` is a Perl script which makes excessive
+ use of the backtick operator to invoke `git`. Unfortunately user input
+ is used within some of those invocations.
-
- It should be noted, that `git-cvsserver` will be invoked by `git-shell`
- by default without further configuration.
+ It should be noted, that `git-cvsserver` will be invoked by `git-shell`
+ by default without further configuration.
[ Example ]
- Below a example of a OS Command Injection within `git-cvsserver`
- triggered via `git-shell`:
+ Below a example of a OS Command Injection within `git-cvsserver`
+ triggered via `git-shell`:
- =====8<=====
+ =====8<=====
[git at ...t ~]$ cat .ssh/authorized_keys
command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC ....
[joernchen at ...t ~]$ ssh git at ...alhost cvs server
Root /tmp
E /tmp/ does not seem to be a valid GIT repository
E
error 1 /tmp/ is not a valid repository
Directory .
`id>foooooo`
add
fatal: Not a git repository: '/tmp/'
Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4.
[joernchen at ...t ~]$
[git at ...t ~]$ cat foooooo
uid=619(git) gid=618(git) groups=618(git)
[git at ...t ~]$
- =====>8=====
+ =====>8=====
[ Solution ]
- Upgrade to one of the following git versions:
- * 2.14.2
- * 2.13.6
- * 2.12.5
- * 2.11.4
- * 2.10.5
+ Upgrade to one of the following git versions:
+ * 2.14.2
+ * 2.13.6
+ * 2.12.5
+ * 2.11.4
+ * 2.10.5
[ end of file ]
-------------------
No CVE has been assigned yet, but a fix has been released upstream and
as seen above, the fixes are already in Debian.
+ The following upstream commits claim to fix the issue:
+ - 985f59c042320ddf0a506e553d5eef9689ef4c32
+ - 31add46823fe926e85efbfeab865e366018b33b4
+ - 6d6e2f812d366789fb6f4f9ea8decb4777f6f862
+ - dca89d4e56dde4b9b48d6f2ec093886a6fa46575
+
[1] http://www.openwall.com/lists/oss-security/2017/09/26/9
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1719740
Title:
[DSA 3984-1] Git cvsserver OS Command Injection
Status in git package in Ubuntu:
In Progress
Status in git source package in Trusty:
In Progress
Status in git source package in Xenial:
In Progress
Status in git source package in Zesty:
In Progress
Status in git source package in Artful:
In Progress
Bug description:
From oss-security[1]:
[ Authors ]
joernchen <joernchen () phenoelit de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
https://git-scm.com
[ Vendor communication ]
2017-09-08 Sent vulnerability details to the git-security list
2017-09-09 Acknowledgement of the issue, git maintainers ask if
a patch could be provided
2017-09-10 Patch is provided
2017-09-11 Further backtick operations are patched by the git
maintainers, corrections on the provided patch
2017-09-11 Revised patch is sent out
2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
invocation from `git-shell`
2017-09-22 Draft release for git 2.14.2 is created including the
fixes
2017-09-26 Release of this advisory, release of fixed git versions
[ Description ]
The `git` subcommand `cvsserver` is a Perl script which makes excessive
use of the backtick operator to invoke `git`. Unfortunately user input
is used within some of those invocations.
It should be noted, that `git-cvsserver` will be invoked by `git-shell`
by default without further configuration.
[ Example ]
Below a example of a OS Command Injection within `git-cvsserver`
triggered via `git-shell`:
=====8<=====
[git at ...t ~]$ cat .ssh/authorized_keys
command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC ....
[joernchen at ...t ~]$ ssh git at ...alhost cvs server
Root /tmp
E /tmp/ does not seem to be a valid GIT repository
E
error 1 /tmp/ is not a valid repository
Directory .
`id>foooooo`
add
fatal: Not a git repository: '/tmp/'
Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4.
[joernchen at ...t ~]$
[git at ...t ~]$ cat foooooo
uid=619(git) gid=618(git) groups=618(git)
[git at ...t ~]$
=====>8=====
[ Solution ]
Upgrade to one of the following git versions:
* 2.14.2
* 2.13.6
* 2.12.5
* 2.11.4
* 2.10.5
[ end of file ]
-------------------
No CVE has been assigned yet, but a fix has been released upstream and
as seen above, the fixes are already in Debian.
The following upstream commits claim to fix the issue:
- 985f59c042320ddf0a506e553d5eef9689ef4c32
- 31add46823fe926e85efbfeab865e366018b33b4
- 6d6e2f812d366789fb6f4f9ea8decb4777f6f862
- dca89d4e56dde4b9b48d6f2ec093886a6fa46575
[1] http://www.openwall.com/lists/oss-security/2017/09/26/9
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions
More information about the foundations-bugs
mailing list