Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 628488 (CVE-2017-12976)

Summary: <dev-vcs/git-annex-6.20170818: arbitrary command execution vulnerability (CVE-2017-12976)
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: trivial CC: haskell
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa cve]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2017-08-21 10:34:19 UTC
From $URL:

git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
Comment 2 D'juan McDonald (domhnall) 2017-08-21 10:51:39 UTC
Upstream Fix:


after version bump please test and call for stabilization if needed. Thanks

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-21 21:35:03 UTC
Pushed new version as:

Dropped old version as:

As git-annex has no stable keywords we don't need to stabilize anything.

Thanks for the report!