Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 627488 (CVE-2017-1000117)

Summary: <dev-vcs/git-{2.13.5, 2.14.1}: command injection via ssh url
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arthur, gentoo.2019, gentoo, hlein, polynomial-c, robbat2
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://marc.info/?l=git&m=150238802328673&w=2
Whiteboard: B2 [glsa cve]
Package list:
=dev-vcs/git-2.13.5
 Runtime testing required: No

Description Hanno Böck gentoo-dev 2017-08-10 20:26:01 UTC 
git is vulnerable to a command injection via SSH urls, see upstream:
https://marc.info/?l=git&m=150238802328673&w=2

And from the bug finder:
http://blog.recurity-labs.com/2017-08-10/scm-vulns

2.14.1 fixes the issue, in case you don't want to stabilize that yet several fixed versions for older release branches have also been published by upstream. A similar vuln affects subversion and mercurial.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-08-10 21:55:05 UTC 
Arches, please test & stablize dev-vcs/git-2.13.5 (already in the tree prior to this bug).
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-08-11 19:38:11 UTC 
Stable on amd64.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-08-11 19:40:11 UTC 
(In reply to Tobias Klausmann from comment #2)
> Stable on amd64.

Bullshit.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-08-11 19:40:53 UTC 
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-11 22:15:24 UTC 
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-19 15:16:52 UTC 
ppc/ppc64 stable
Comment 7 Richard Freeman gentoo-dev 2017-08-19 20:53:38 UTC 
amd64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-20 17:01:39 UTC 
x86 stable
Comment 9 Markus Meier gentoo-dev 2017-08-23 05:00:20 UTC 
arm stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-07 21:03:25 UTC 
sparc stable (thanks to Dakon)
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:14:57 UTC 
hppa stable (thanks to Dakon)
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:15:18 UTC 
Last arch is done here.
Comment 13 D'juan McDonald (domhnall) 2017-09-08 23:58:04 UTC 
@maintainer(s), please clean-up tree, thank you!

Daj Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-09-09 02:16:43 UTC 
New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 19:04:27 UTC 
This issue was resolved and addressed in
 GLSA 201709-10 at https://security.gentoo.org/glsa/201709-10
by GLSA coordinator Aaron Bauman (b-man).
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 19:05:18 UTC 
Reopened for cleanup.

@maintainers, please clean the vulnerable versions.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-10-01 23:57:44 UTC 
Maintainer(s), please drop the vulnerable version(s).

dev-vcs/git-(2.13.0,2.13.3,2.13.4)
dev-vcs/git-(2.14.0,2.14.0-r1)
Comment 18 Larry the Git Cow gentoo-dev 2017-10-02 03:16:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5fc034c016555ddaa8c84902f2e2c0b9c335185c

commit 5fc034c016555ddaa8c84902f2e2c0b9c335185c
Author:     Robin H. Johnson <robbat2@gentoo.org>
AuthorDate: 2017-10-02 03:16:33 +0000
Commit:     Robin H. Johnson <robbat2@gentoo.org>
CommitDate: 2017-10-02 03:16:36 +0000

    dev-vcs/git: cleanup old ebuilds.
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=627488#c17
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-vcs/git/Manifest             |  12 -
 dev-vcs/git/git-2.13.0.ebuild    | 677 --------------------------------------
 dev-vcs/git/git-2.13.3.ebuild    | 680 --------------------------------------
 dev-vcs/git/git-2.13.4.ebuild    | 680 --------------------------------------
 dev-vcs/git/git-2.14.0-r1.ebuild | 691 ---------------------------------------
 dev-vcs/git/git-2.14.0.ebuild    | 680 --------------------------------------
 6 files changed, 3420 deletions(-)}