[CVE] Git cvsserver OS Command Injection

Bug #1719740 reported by Simon Quigley on 2017-09-26
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
git (Debian)
Fix Released
Unknown
git (Ubuntu)
High
Simon Quigley
Trusty
High
Simon Quigley
Xenial
High
Simon Quigley
Zesty
High
Simon Quigley
Artful
High
Simon Quigley

Bug Description

From oss-security[1]:

[ Authors ]
        joernchen <joernchen () phenoelit de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
        https://git-scm.com

[ Vendor communication ]
        2017-09-08 Sent vulnerability details to the git-security list
        2017-09-09 Acknowledgement of the issue, git maintainers ask if
                   a patch could be provided
        2017-09-10 Patch is provided
        2017-09-11 Further backtick operations are patched by the git
                   maintainers, corrections on the provided patch
        2017-09-11 Revised patch is sent out
        2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
                   invocation from `git-shell`
        2017-09-22 Draft release for git 2.14.2 is created including the
                   fixes
        2017-09-26 Release of this advisory, release of fixed git versions

[ Description ]
 The `git` subcommand `cvsserver` is a Perl script which makes excessive
 use of the backtick operator to invoke `git`. Unfortunately user input
        is used within some of those invocations.

 It should be noted, that `git-cvsserver` will be invoked by `git-shell`
        by default without further configuration.

[ Example ]
 Below a example of a OS Command Injection within `git-cvsserver`
        triggered via `git-shell`:

        =====8<=====
[git@...t ~]$ cat .ssh/authorized_keys
command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC ....

[joernchen@...t ~]$ ssh git@...alhost cvs server
Root /tmp
E /tmp/ does not seem to be a valid GIT repository
E
error 1 /tmp/ is not a valid repository
Directory .
`id>foooooo`
add
fatal: Not a git repository: '/tmp/'
Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4.
[joernchen@...t ~]$

[git@...t ~]$ cat foooooo
uid=619(git) gid=618(git) groups=618(git)
[git@...t ~]$
        =====>8=====

[ Solution ]
        Upgrade to one of the following git versions:
        * 2.14.2
        * 2.13.6
        * 2.12.5
        * 2.11.4
        * 2.10.5

[ end of file ]

-------------------

No CVE has been assigned yet, but a fix has been released upstream and as seen above, the fixes are already in Debian.

The following upstream commits claim to fix the issue:
 - 985f59c042320ddf0a506e553d5eef9689ef4c32
 - 31add46823fe926e85efbfeab865e366018b33b4
 - 6d6e2f812d366789fb6f4f9ea8decb4777f6f862
 - dca89d4e56dde4b9b48d6f2ec093886a6fa46575

[1] http://www.openwall.com/lists/oss-security/2017/09/26/9

CVE References

Simon Quigley (tsimonq2) wrote :

Security Team:

Debian marks this as a high importance vulnerability, I'll follow suit and change the importance here, please feel free to mark it otherwise.

Otherwise, I plan on working on a fix for this, I'll put something here within an hour or two.

Thanks!

Changed in git (Ubuntu Trusty):
importance: Undecided → High
Changed in git (Ubuntu Xenial):
importance: Undecided → High
Changed in git (Ubuntu Artful):
status: New → In Progress
Changed in git (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in git (Ubuntu Zesty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in git (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in git (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in git (Ubuntu Zesty):
importance: Undecided → High
Changed in git (Ubuntu Artful):
importance: Undecided → High
Changed in git (Ubuntu Zesty):
status: New → In Progress
Changed in git (Ubuntu Xenial):
status: New → In Progress
Changed in git (Ubuntu Trusty):
status: New → In Progress
Simon Quigley (tsimonq2) wrote :

So it looks like we should be able to cherry pick the patches with little to no issue on Zesty and Artful, but it seems some backporting *might* be required on Trusty and Xenial.

description: updated
Changed in git (Debian):
status: Unknown → Fix Released
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Artful applicable to 2.14.1-1ubuntu3. I tested this locally and can find no regressions.

I'd like a review from the security team (and an upload from someone who has access to, I'm only a MOTU) before I prepare the patches for the other releases to make sure the format is OK so I can just backport this upload.

Thanks!

Simon Quigley (tsimonq2) wrote :

It looks like this was assigned to CVE-2017-14867 but Launchpad (wonderfully) won't let me reflect that here.

Simon Quigley (tsimonq2) on 2017-09-28
summary: - [DSA 3984-1] Git cvsserver OS Command Injection
+ [CVE] Git cvsserver OS Command Injection
Marc Deslauriers (mdeslaur) wrote :

Hi Simon,

I think you're missing a few commits. Here is the list of commits Debian has added:

http://repo.or.cz/git/debian.git/commit/ad86ba2e77a442db38510bcc5e5283872df49d88

Also, you don't need to change the patch headers, just leave the original git commit headers there.

Thanks!

Marc Deslauriers (mdeslaur) wrote :

OK, as pointed out on irc, commit 31add46823fe926e85efbfeab865e366018b33b4 does contain the three others.

Looks good, thanks!

Uploading now.

Simon Quigley (tsimonq2) on 2017-10-03
Changed in git (Ubuntu Artful):
status: In Progress → Fix Committed
Simon Quigley (tsimonq2) wrote :

Attached is a debdiff for Zesty applicable to 1:2.11.0-2ubuntu0.2. I tested it in a LXD container and it works as intended with no apparent regressions.

Marc Deslauriers (mdeslaur) wrote :

ACK on the zesty debdiff, thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.14.1-1ubuntu4

---------------
git (1:2.14.1-1ubuntu4) artful; urgency=high

  * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
    - shell-drop-git-cvsserver-support-by-default.diff
    - cvsserver-use-safe_pipe_capture.diff
    - cvsimport-shell-quote-variable-used-in-backticks.diff
    - archimport-use-safe_pipe_capture-for-user-input.diff
    - CVE-2017-14867

 -- Simon Quigley <email address hidden> Tue, 26 Sep 2017 19:11:26 -0500

Changed in git (Ubuntu Artful):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:1.9.1-1ubuntu0.7

---------------
git (1:1.9.1-1ubuntu0.7) trusty-security; urgency=high

  * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
    - shell-drop-git-cvsserver-support-by-default.diff
    - cvsserver-use-safe_pipe_capture.diff
    - cvsimport-shell-quote-variable-used-in-backticks.diff
    - archimport-use-safe_pipe_capture-for-user-input.diff
    - CVE-2017-14867

 -- Simon Quigley <email address hidden> Tue, 03 Oct 2017 13:20:58 -0500

Changed in git (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.7.4-0ubuntu1.3

---------------
git (1:2.7.4-0ubuntu1.3) xenial-security; urgency=high

  * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
    - shell-drop-git-cvsserver-support-by-default.diff
    - cvsserver-use-safe_pipe_capture.diff
    - cvsimport-shell-quote-variable-used-in-backticks.diff
    - archimport-use-safe_pipe_capture-for-user-input.diff
    - CVE-2017-14867

 -- Simon Quigley <email address hidden> Tue, 03 Oct 2017 13:14:37 -0500

Changed in git (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.11.0-2ubuntu0.3

---------------
git (1:2.11.0-2ubuntu0.3) zesty-security; urgency=high

  * SECURITY UPDATE: Git cvsserver OS Command Injection (LP: #1719740)
    - shell-drop-git-cvsserver-support-by-default.diff
    - cvsserver-use-safe_pipe_capture.diff
    - cvsimport-shell-quote-variable-used-in-backticks.diff
    - archimport-use-safe_pipe_capture-for-user-input.diff
    - CVE-2017-14867

 -- Simon Quigley <email address hidden> Tue, 03 Oct 2017 13:02:47 -0500

Changed in git (Ubuntu Zesty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.