Bug 628488 (CVE-2017-12976)

Summary:	<dev-vcs/git-annex-6.20170818: arbitrary command execution vulnerability (CVE-2017-12976)
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	haskell
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12976
Whiteboard:	~2 [noglsa cve]
Package list:		Runtime testing required:	---

Description D'juan McDonald (domhnall) 2017-08-21 10:34:19 UTC

From $URL:

git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.

Comment 1 D'juan McDonald (domhnall) 2017-08-21 10:45:56 UTC

PoC: 

https://git-annex.branchable.com/ikiwiki.cgi?do=goto&page=bugs%2FData_loss_when_copying_files_with_running_assistant%2Fcomment_2_b9cc9ae227a6dd883a2324b6d70b88ad

Comment 2 D'juan McDonald (domhnall) 2017-08-21 10:51:39 UTC

Upstream Fix: https://git-annex.branchable.com/news/version_6.20170818/


@maintainer(s), 

after version bump please test and call for stabilization if needed. Thanks

Daj'Uan (mbailey_j)
Gentoo Security Scout

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2017-08-21 21:35:03 UTC

Pushed new version as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81d17e4af35cbecc7b28a96de8a62d80cf4d9e18

Dropped old version as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92983108b65f645af5ab815add715492d9929c04

As git-annex has no stable keywords we don't need to stabilize anything.

Thanks for the report!