Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 627488 (CVE-2017-1000117) - <dev-vcs/git-{2.13.5, 2.14.1}: command injection via ssh url
Summary: <dev-vcs/git-{2.13.5, 2.14.1}: command injection via ssh url
Alias: CVE-2017-1000117
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2017-08-10 20:26 UTC by Hanno Böck
Modified: 2017-10-19 00:47 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: No
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-08-10 20:26:01 UTC
git is vulnerable to a command injection via SSH urls, see upstream:

And from the bug finder:

2.14.1 fixes the issue, in case you don't want to stabilize that yet several fixed versions for older release branches have also been published by upstream. A similar vuln affects subversion and mercurial.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-08-10 21:55:05 UTC
Arches, please test & stablize dev-vcs/git-2.13.5 (already in the tree prior to this bug).
Comment 2 Tobias Klausmann (RETIRED) gentoo-dev 2017-08-11 19:38:11 UTC
Stable on amd64.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2017-08-11 19:40:11 UTC
(In reply to Tobias Klausmann from comment #2)
> Stable on amd64.

Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-08-11 19:40:53 UTC
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-11 22:15:24 UTC
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-19 15:16:52 UTC
ppc/ppc64 stable
Comment 7 Richard Freeman gentoo-dev 2017-08-19 20:53:38 UTC
amd64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-08-20 17:01:39 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2017-08-23 05:00:20 UTC
arm stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-07 21:03:25 UTC
sparc stable (thanks to Dakon)
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:14:57 UTC
hppa stable (thanks to Dakon)
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-08 22:15:18 UTC
Last arch is done here.
Comment 13 D'juan McDonald (domhnall) 2017-09-08 23:58:04 UTC
@maintainer(s), please clean-up tree, thank you!

Daj Uan (jmbailey/mbailey_j)
Gentoo Security Padawan
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-09-09 02:16:43 UTC
New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 19:04:27 UTC
This issue was resolved and addressed in
 GLSA 201709-10 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 19:05:18 UTC
Reopened for cleanup.

@maintainers, please clean the vulnerable versions.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-10-01 23:57:44 UTC
Maintainer(s), please drop the vulnerable version(s).

Comment 18 Larry the Git Cow gentoo-dev 2017-10-02 03:16:55 UTC
The bug has been referenced in the following commit(s):

commit 5fc034c016555ddaa8c84902f2e2c0b9c335185c
Author:     Robin H. Johnson <>
AuthorDate: 2017-10-02 03:16:33 +0000
Commit:     Robin H. Johnson <>
CommitDate: 2017-10-02 03:16:36 +0000

    dev-vcs/git: cleanup old ebuilds.
    Package-Manager: Portage-2.3.8, Repoman-2.3.3

 dev-vcs/git/Manifest             |  12 -
 dev-vcs/git/git-2.13.0.ebuild    | 677 --------------------------------------
 dev-vcs/git/git-2.13.3.ebuild    | 680 --------------------------------------
 dev-vcs/git/git-2.13.4.ebuild    | 680 --------------------------------------
 dev-vcs/git/git-2.14.0-r1.ebuild | 691 ---------------------------------------
 dev-vcs/git/git-2.14.0.ebuild    | 680 --------------------------------------
 6 files changed, 3420 deletions(-)}