From $URL: git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
PoC: https://git-annex.branchable.com/ikiwiki.cgi?do=goto&page=bugs%2FData_loss_when_copying_files_with_running_assistant%2Fcomment_2_b9cc9ae227a6dd883a2324b6d70b88ad
Upstream Fix: https://git-annex.branchable.com/news/version_6.20170818/ @maintainer(s), after version bump please test and call for stabilization if needed. Thanks Daj'Uan (mbailey_j) Gentoo Security Scout
Pushed new version as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81d17e4af35cbecc7b28a96de8a62d80cf4d9e18 Dropped old version as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92983108b65f645af5ab815add715492d9929c04 As git-annex has no stable keywords we don't need to stabilize anything. Thanks for the report!