Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 644314 (CVE-2017-18026) - <www-apps/redmine{3.2.9,3.3.6,3.4.3}: remote execution of arbitrary commands through the Mercurial adapter
Summary: <www-apps/redmine{3.2.9,3.3.6,3.4.3}: remote execution of arbitrary commands ...
Status: RESOLVED FIXED
Alias: CVE-2017-18026
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/gentoo/gentoo/pull...
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-12 15:24 UTC by Azamat H. Hackimov
Modified: 2018-01-26 00:24 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Azamat H. Hackimov 2018-01-12 15:24:32 UTC
Redmine prior 3.4.4 on 3.4 branch, 3.3.6 on 3.3 branch and 3.2.9 on 3.2 branch has remote vulnerability, which may allow remote attackers to execute arbitrary commands (through the Mercurial adapter)[1][2].

This vulnerability fixed in 3.2.9, 3.3.6 and 3.4.4 versions.

Pull request on the way.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18026
[2] http://www.redmine.org/projects/redmine/wiki/Security_Advisories
Comment 1 Azamat H. Hackimov 2018-01-12 15:45:58 UTC
PR https://github.com/gentoo/gentoo/pull/6520
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2018-01-25 15:59:12 UTC
CVE-2017-18026 (https://nvd.nist.gov/vuln/detail/CVE-2017-18026):
  Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not
  block the --config and --debugger flags to the Mercurial hg program, which
  allows remote attackers to execute arbitrary commands (through the Mercurial
  adapter) via vectors involving a branch whose name begins with a --config=
  or --debugger= substring, a related issue to CVE-2017-17536.
Comment 3 Larry the Git Cow gentoo-dev 2018-01-26 00:20:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6edaba168aac7d45d58d0c4797c7a7a3d438cd88

commit 6edaba168aac7d45d58d0c4797c7a7a3d438cd88
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2018-01-25 23:43:46 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-26 00:19:53 +0000

    www-apps/redmine: bump to 3.2.9, 3.3.6, 3.4.3
    
    Closes remote vulnerability CVE-2017-18026 (#644314).
    
    Closes: https://github.com/gentoo/gentoo/pull/6520
    Bug: https://bugs.gentoo.org/644314
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 www-apps/redmine/Manifest                                       | 6 +++---
 www-apps/redmine/{redmine-3.2.8.ebuild => redmine-3.2.9.ebuild} | 2 +-
 www-apps/redmine/{redmine-3.3.5.ebuild => redmine-3.3.6.ebuild} | 2 +-
 www-apps/redmine/{redmine-3.4.3.ebuild => redmine-3.4.4.ebuild} | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)}