From the changelog: > Fix the "ssh://" protocol to prevent an attack whereby the attacker convinces a victim to run a "clone" with a dodgy URL and thereby gains access to their system. source: http://fossil-scm.org/index.html/doc/trunk/www/changes.wiki Looks that at least some of that has been cherry-picked to the branch-2.3 branch. However, looking at trunk's changelog and 2.4 tarball, seems that more of that went into the release, related to escaping possibly insecure stuff. Reproducible: Always
Quoting the changelog entry from comment 1 but with line wrapping: > Fix the "ssh://" protocol to prevent an attack whereby the attacker > convinces a victim to run a "clone" with a dodgy URL and thereby > gains access to their system.
(In reply to Sławomir Nizio from comment #0) Thanks for the report. @Maintainers please call for stabilization when ready. Thank you CVE-2017-17459: http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Please stabilize: =dev-vcs/fossil-2.4 ~amd64 ~x86
An automated check of this bug failed - repoman reported dependency errors (37 lines truncated): > dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=dev-db/sqlite-3.20.0:3'] > dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: RDEPEND: amd64(default/linux/amd64/13.0) ['>=dev-db/sqlite-3.20.0:3'] > dependency.bad dev-vcs/fossil/fossil-2.4.ebuild: DEPEND: amd64(default/linux/amd64/13.0/desktop) ['>=dev-db/sqlite-3.20.0:3']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
amd64 stable
Stabilization of dev-db/sqlite-3.20.1-r1 was NOT approved here. The correct action would have been to make bug #640208 depend on bug #630738. dev-db/sqlite-3.20.1-r1 must be stabilized with 2 other packages at the same time.
amd64 stabilization reverted due to comment #7
@x86, ping.
x86 stable
@ Arches, please cleanup and drop <dev-vcs/fossil-2.4!
s/Arches/Maintainers, sorry :)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b037661b68a36a80fd76db911a266430374fb2a5 commit b037661b68a36a80fd76db911a266430374fb2a5 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2018-01-22 10:48:56 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2018-01-22 10:48:56 +0000 dev-vcs/fossil: Clean old, insecure Bug: https://bugs.gentoo.org/627674 Bug: https://bugs.gentoo.org/640208 Package-Manager: Portage-2.3.19, Repoman-2.3.6 dev-vcs/fossil/Manifest | 2 -- dev-vcs/fossil/fossil-1.35.ebuild | 52 ------------------------------------ dev-vcs/fossil/fossil-2.3.ebuild | 55 --------------------------------------- 3 files changed, 109 deletions(-)}
GLSA request filed. Tree is clean.
This issue was resolved and addressed in GLSA 201801-20 at https://security.gentoo.org/glsa/201801-20 by GLSA coordinator Thomas Deutschmann (whissi).