Summary: | <dev-vcs/fossil-2.4: Remote command execution vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sławomir Nizio <slawomir.nizio> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | rafaelmartins, titanofold |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
=dev-vcs/fossil-2.4
|
Runtime testing required: | No |
Bug Depends on: | 630738 | ||
Bug Blocks: | 627674 |
Description
Sławomir Nizio
2017-12-07 17:58:27 UTC
Quoting the changelog entry from comment 1 but with line wrapping: > Fix the "ssh://" protocol to prevent an attack whereby the attacker > convinces a victim to run a "clone" with a dodgy URL and thereby > gains access to their system. (In reply to Sławomir Nizio from comment #0) Thanks for the report. @Maintainers please call for stabilization when ready. Thank you CVE-2017-17459: http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117. Please stabilize: =dev-vcs/fossil-2.4 ~amd64 ~x86 An automated check of this bug failed - repoman reported dependency errors (37 lines truncated):
> dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-db/sqlite-3.20.0:3']
> dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-db/sqlite-3.20.0:3']
> dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-db/sqlite-3.20.0:3']
An automated check of this bug succeeded - the previous repoman errors are now resolved. amd64 stable Stabilization of dev-db/sqlite-3.20.1-r1 was NOT approved here. The correct action would have been to make bug #640208 depend on bug #630738. dev-db/sqlite-3.20.1-r1 must be stabilized with 2 other packages at the same time. amd64 stabilization reverted due to comment #7 amd64 stable @x86, ping. x86 stable @ Arches, please cleanup and drop <dev-vcs/fossil-2.4! s/Arches/Maintainers, sorry :) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b037661b68a36a80fd76db911a266430374fb2a5 commit b037661b68a36a80fd76db911a266430374fb2a5 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-01-22 10:48:56 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-01-22 10:48:56 +0000 dev-vcs/fossil: Clean old, insecure Bug: https://bugs.gentoo.org/627674 Bug: https://bugs.gentoo.org/640208 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-vcs/fossil/Manifest | 2 -- dev-vcs/fossil/fossil-1.35.ebuild | 52 ------------------------------------ dev-vcs/fossil/fossil-2.3.ebuild | 55 --------------------------------------- 3 files changed, 109 deletions(-)} GLSA request filed. Tree is clean. This issue was resolved and addressed in GLSA 201801-20 at https://security.gentoo.org/glsa/201801-20 by GLSA coordinator Thomas Deutschmann (whissi). |