Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628488 (CVE-2017-12976) - <dev-vcs/git-annex-6.20170818: arbitrary command execution vulnerability (CVE-2017-12976)
Summary: <dev-vcs/git-annex-6.20170818: arbitrary command execution vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2017-12976
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://web.nvd.nist.gov/view/vuln/de...
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-21 10:34 UTC by D'juan McDonald (domhnall)
Modified: 2017-08-22 02:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-21 10:34:19 UTC
From $URL:

git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
Comment 2 D'juan McDonald (domhnall) 2017-08-21 10:51:39 UTC
Upstream Fix: https://git-annex.branchable.com/news/version_6.20170818/


@maintainer(s), 

after version bump please test and call for stabilization if needed. Thanks

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-21 21:35:03 UTC
Pushed new version as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81d17e4af35cbecc7b28a96de8a62d80cf4d9e18

Dropped old version as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92983108b65f645af5ab815add715492d9929c04

As git-annex has no stable keywords we don't need to stabilize anything.

Thanks for the report!