Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 640208 (CVE-2017-17459)

Summary: <dev-vcs/fossil-2.4: Remote command execution vulnerability
Product: Gentoo Security Reporter: Sławomir Nizio <slawomir.nizio>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: rafaelmartins, titanofold
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: No
Bug Depends on: 630738    
Bug Blocks: 627674    

Description Sławomir Nizio 2017-12-07 17:58:27 UTC
From the changelog:

> Fix the "ssh://" protocol to prevent an attack whereby the attacker convinces a victim to run a "clone" with a dodgy URL and thereby gains access to their system.


Looks that at least some of that has been cherry-picked to the branch-2.3 branch.

However, looking at trunk's changelog and 2.4 tarball, seems that more of that went into the release, related to escaping possibly insecure stuff.

Reproducible: Always
Comment 1 Sławomir Nizio 2017-12-07 17:59:18 UTC
Quoting the changelog entry from comment 1 but with line wrapping:

> Fix the "ssh://" protocol to prevent an attack whereby the attacker
> convinces a victim to run a "clone" with a dodgy URL and thereby
> gains access to their system.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 16:46:39 UTC
(In reply to Sławomir Nizio from comment #0)

Thanks for the report.

@Maintainers please call for stabilization when ready.

Thank you

CVE-2017-17459: http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Comment 3 Aaron W. Swenson gentoo-dev 2017-12-10 19:00:20 UTC
Please stabilize:
=dev-vcs/fossil-2.4 ~amd64 ~x86
Comment 4 Stabilization helper bot gentoo-dev 2017-12-10 19:02:16 UTC
An automated check of this bug failed - repoman reported dependency errors (37 lines truncated): 

> dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-db/sqlite-3.20.0:3']
> dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-db/sqlite-3.20.0:3']
> dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-db/sqlite-3.20.0:3']
Comment 5 Stabilization helper bot gentoo-dev 2017-12-10 20:01:28 UTC
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Comment 6 Agostino Sarubbo gentoo-dev 2017-12-14 20:27:50 UTC
amd64 stable
Comment 7 Arfrever Frehtes Taifersar Arahesis 2017-12-14 20:50:27 UTC
Stabilization of dev-db/sqlite-3.20.1-r1 was NOT approved here.
The correct action would have been to make bug #640208 depend on bug #630738.
dev-db/sqlite-3.20.1-r1 must be stabilized with 2 other packages at the same time.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-14 21:10:41 UTC
amd64 stabilization reverted due to comment #7
Comment 9 Jason Zaman gentoo-dev 2017-12-19 13:48:30 UTC
amd64 stable
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-01-21 21:04:00 UTC
@x86, ping.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-21 21:22:31 UTC
x86 stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-21 21:24:05 UTC
@ Arches,

please cleanup and drop <dev-vcs/fossil-2.4!
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-21 21:24:29 UTC
s/Arches/Maintainers, sorry :)
Comment 14 Larry the Git Cow gentoo-dev 2018-01-22 10:49:13 UTC
The bug has been referenced in the following commit(s):

commit b037661b68a36a80fd76db911a266430374fb2a5
Author:     Aaron W. Swenson <>
AuthorDate: 2018-01-22 10:48:56 +0000
Commit:     Aaron W. Swenson <>
CommitDate: 2018-01-22 10:48:56 +0000

    dev-vcs/fossil: Clean old, insecure
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 dev-vcs/fossil/Manifest           |  2 --
 dev-vcs/fossil/fossil-1.35.ebuild | 52 ------------------------------------
 dev-vcs/fossil/fossil-2.3.ebuild  | 55 ---------------------------------------
 3 files changed, 109 deletions(-)}
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2018-01-22 21:37:48 UTC
GLSA request filed.

Tree is clean.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-01-27 17:03:57 UTC
This issue was resolved and addressed in
 GLSA 201801-20 at
by GLSA coordinator Thomas Deutschmann (whissi).