Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628488 (CVE-2017-12976) - <dev-vcs/git-annex-6.20170818: arbitrary command execution vulnerability (CVE-2017-12976)
Summary: <dev-vcs/git-annex-6.20170818: arbitrary command execution vulnerability (CVE...
Alias: CVE-2017-12976
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~2 [noglsa cve]
Depends on:
Reported: 2017-08-21 10:34 UTC by D'juan McDonald (domhnall)
Modified: 2017-08-22 02:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-08-21 10:34:19 UTC
From $URL:

git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
Comment 2 D'juan McDonald (domhnall) 2017-08-21 10:51:39 UTC
Upstream Fix:


after version bump please test and call for stabilization if needed. Thanks

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-08-21 21:35:03 UTC
Pushed new version as:

Dropped old version as:

As git-annex has no stable keywords we don't need to stabilize anything.

Thanks for the report!