Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 16:53:02 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Advisory: Git cvsserver OS Command Injection

Hi

On Tue, Sep 26, 2017 at 11:03:49AM +0200, joernchen wrote:
> Hi,
> 
> 
> see attached advisory.
> 
> Cheers,
> 
> joernchen
> -- 
> joernchen ~ Phenoelit
> <joernchen@...noelit.de> ~ C776 3F67 7B95 03BF 5344
> http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

> Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--->
> 
> [ Authors ]
>         joernchen       <joernchen () phenoelit de>
> 
>         Phenoelit Group (http://www.phenoelit.de)
> 
> [ Affected Products ]
>         Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
>         https://git-scm.com
> 
> [ Vendor communication ]
>         2017-09-08 Sent vulnerability details to the git-security list
>         2017-09-09 Acknowledgement of the issue, git maintainers ask if
>                    a patch could be provided
>         2017-09-10 Patch is provided
>         2017-09-11 Further backtick operations are patched by the git
>                    maintainers, corrections on the provided patch
>         2017-09-11 Revised patch is sent out
>         2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
>                    invocation from `git-shell`
>         2017-09-22 Draft release for git 2.14.2 is created including the
>                    fixes
>         2017-09-26 Release of this advisory, release of fixed git versions
> 
> [ Description ]
> 	The `git` subcommand `cvsserver` is a Perl script which makes excessive
> 	use of the backtick operator to invoke `git`. Unfortunately user input
>         is used within some of those invocations.
> 
> 
> 	It should be noted, that `git-cvsserver` will be invoked by `git-shell`
>         by default without further configuration.

FTR, this has been assigned CVE-2017-14867.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ