632036 – (CVE-2017-14867) <dev-vcs/git-2.13.6: unsafe constructs in git cvsserver

Bug 632036 (CVE-2017-14867) - <dev-vcs/git-2.13.6: unsafe constructs in git cvsserver

Summary: <dev-vcs/git-2.13.6: unsafe constructs in git cvsserver

Status:	RESOLVED FIXED

Alias:	CVE-2017-14867

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://public-inbox.org/git/xmqqwp4m...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-09-26 09:46 UTC by Hanno Böck
Modified:	2018-01-19 23:51 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	dev-vcs/git-2.13.6
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2017-09-26 09:46:14 UTC

Details on this are a bit scarce, but it seems git has another security issue:
https://public-inbox.org/git/xmqqwp4m9ejl.fsf@gitster.mtv.corp.google.com/

This is the relevant part:

 * "git cvsserver" no longer is invoked by "git shell" by default,
   as it is old and largely unmaintained.
[...]
Credits go to joernchen <joernchen@phenoelit.de> for finding the
unsafe constructs in "git cvsserver", and to Jeff King at GitHub for
finding and fixing instances of the same issue in other scripts.


joernchen is the same person who found the previous command injection vulns (see #627488) in git, so I assume this is a related / similar issue.

Fixed in 2.10.5, 2.11.4, 2.12.5, 2.13.6, v2.14.2. Given that we don't support anything before 2.13 please bump to 2.13.6 and 2.14.2.

Comment 1 Hanno Böck gentoo-dev

2017-09-26 09:47:00 UTC

More details from the bug finder:
http://www.phenoelit.org/stuff/git_cvsserver.txt

Comment 2 Larry the Git Cow gentoo-dev

2017-09-26 17:03:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e62b37dd27a9bb9574fcfb3fe98fae76776e90e2

commit e62b37dd27a9bb9574fcfb3fe98fae76776e90e2
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2017-09-26 17:01:48 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2017-09-26 17:03:13 +0000

    dev-vcs/git: security bump.
    
    Bug: https://bugs.gentoo.org/632036
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-vcs/git/Manifest          |   6 +
 dev-vcs/git/git-2.13.6.ebuild | 680 ++++++++++++++++++++++++++++++++++++++++
 dev-vcs/git/git-2.14.2.ebuild | 699 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 1385 insertions(+)}

Comment 3 Robin Johnson archtester

2017-09-26 17:17:16 UTC

Arches, please test & stabilize.

Target keywords: alpha, amd64, arm, hppa, ia64, ppc, x86
FEATURES=test is supported.

Expected  final test output:
...
done | '/bin/sh' ./aggregate-results.sh
fixed   0
success 16087
failed  0
broken  212
total   16483
>>> Completed testing dev-vcs/git-2.13.6

Comment 4 Agostino Sarubbo gentoo-dev

2017-09-27 11:21:14 UTC

amd64 stable

Comment 5 D'juan McDonald (domhnall) 2017-09-29 14:49:47 UTC

CVE assigned: 9/28/17
CVE-2017-14867(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14867)

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-30 03:00:26 UTC

ppc64 stable

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-30 04:14:20 UTC

ppc stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2017-09-30 07:22:31 UTC

ia64 stable

Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-03 08:38:26 UTC

hppa stable

Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-04 22:53:12 UTC

x86 stable

Comment 11 Markus Meier gentoo-dev

2017-10-16 18:13:39 UTC

arm stable

Comment 12 Tobias Klausmann (RETIRED) gentoo-dev

2017-10-22 21:49:27 UTC

Stable on alpha.

Comment 13 Aaron Bauman (RETIRED) gentoo-dev

2017-10-23 00:05:38 UTC

GLSA Vote: No

@maintainers, please clean the vulnerable versions.

Comment 14 Sergei Trofimovich (RETIRED) gentoo-dev

2017-11-13 07:58:09 UTC

sparc stable (thanks to Rolf Eike Beer)

Comment 15 Aaron Bauman (RETIRED) gentoo-dev

2018-01-19 23:51:39 UTC

Tree is clean.