bzr+ssh URLs don't strip SSH options

Bug #1710979 reported by Jelmer Vernooij on 2017-08-15
294
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Bazaar
Undecided
Unassigned
Breezy
Critical
Jelmer Vernooij
bzr (Ubuntu)
Critical
Unassigned

Bug Description

Bazaar suffers from the same bug that affects Mercuril and Git:

A hostname that starts with a - is passed on verbatim to the ssh command, which means that the host bit in the URL can be used to set arbitrary SSH options.

E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path"

Presumably this only affects users that are using the Subprocess SSH vendor, and not those using the Paramiko SSH Vendor.

See e.g. https://security-tracker.debian.org/tracker/CVE-2017-1000117 for the Git advisory.

CVE References

Jelmer Vernooij (jelmer) on 2017-08-15
Changed in bzr:
status: New → Confirmed
Changed in brz:
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → Critical
Augie Fackler (durin42) wrote :

Subversion explored poking a -- on the ssh command string to be safe, but discovered that putty's implementation doesn't understand -- so it would have broken Windows users.

Jelmer Vernooij (jelmer) wrote :

I've posted an initial fix for Breezy in https://code.launchpad.net/~jelmer/brz/fix-ssh-sec

Jelmer Vernooij (jelmer) wrote :

Bazaar distinguishes between the different implementations, so I've opted for adding -- for openssh and print an error for all the other ones (including plink - putty's implementation).

Jelmer Vernooij (jelmer) on 2017-08-15
Changed in brz:
assignee: nobody → Jelmer Vernooij (jelmer)
milestone: none → 3.0.0
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bzr (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Thanks, I've requested a CVE for Bazaar.

Jelmer Vernooij (jelmer) wrote :

Thanks. We can cherry-pick the patch from Breezy for Bazaar.

Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Jelmer Vernooij (jelmer) wrote :

I've just done so.

information type: Private Security → Public
information type: Public → Public Security
Jelmer Vernooij (jelmer) on 2017-08-27
Changed in brz:
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.7.0+bzr6619-7ubuntu0.1

---------------
bzr (2.7.0+bzr6619-7ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Possible arbitrary code execution on clients
    through malicious bzr+ssh URLs
    - debian/patches/24_ssh_hostnames-lp1710979: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - LP: #1710979

 -- Steve Beattie <email address hidden> Mon, 28 Aug 2017 21:54:13 -0700

Changed in bzr (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.6.0+bzr6593-1ubuntu1.6

---------------
bzr (2.6.0+bzr6593-1ubuntu1.6) trusty-security; urgency=medium

  * SECURITY UPDATE: Possible arbitrary code execution on clients
    through malicious bzr+ssh URLs
    - debian/patches/24_ssh_hostnames-lp1710979: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - LP: #1710979

 -- Steve Beattie <email address hidden> Mon, 28 Aug 2017 23:11:14 -0700

Changed in bzr (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.7.0-2ubuntu3.1

---------------
bzr (2.7.0-2ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Possible arbitrary code execution on clients
    through malicious bzr+ssh URLs
    - debian/patches/24_ssh_hostnames-lp1710979: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - LP: #1710979

 -- Steve Beattie <email address hidden> Mon, 28 Aug 2017 22:04:57 -0700

Changed in bzr (Ubuntu):
status: Confirmed → Fix Released
Changed in bzr (Ubuntu):
importance: Undecided → Critical
Jelmer Vernooij (jelmer) wrote :

Hi Marc, any news on the CVE?

Emily Ratliff (emilyr) wrote :

CVE-2017-14176 has been assigned for this vulnerability.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers