Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 28 Sep 2017 16:53:02 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Advisory: Git cvsserver OS Command Injection

Hi

On Tue, Sep 26, 2017 at 11:03:49AM +0200, joernchen wrote:
> Hi,
> 
> 
> see attached advisory.
> 
> Cheers,
> 
> joernchen
> -- 
> joernchen ~ Phenoelit
> <joernchen@...noelit.de> ~ C776 3F67 7B95 03BF 5344
> http://www.phenoelit.de  ~ A46A 7199 8B7B 756A F5AC

> Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++--->
> 
> [ Authors ]
>         joernchen       <joernchen () phenoelit de>
> 
>         Phenoelit Group (http://www.phenoelit.de)
> 
> [ Affected Products ]
>         Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
>         https://git-scm.com
> 
> [ Vendor communication ]
>         2017-09-08 Sent vulnerability details to the git-security list
>         2017-09-09 Acknowledgement of the issue, git maintainers ask if
>                    a patch could be provided
>         2017-09-10 Patch is provided
>         2017-09-11 Further backtick operations are patched by the git
>                    maintainers, corrections on the provided patch
>         2017-09-11 Revised patch is sent out
>         2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
>                    invocation from `git-shell`
>         2017-09-22 Draft release for git 2.14.2 is created including the
>                    fixes
>         2017-09-26 Release of this advisory, release of fixed git versions
> 
> [ Description ]
> 	The `git` subcommand `cvsserver` is a Perl script which makes excessive
> 	use of the backtick operator to invoke `git`. Unfortunately user input
>         is used within some of those invocations.
> 
> 
> 	It should be noted, that `git-cvsserver` will be invoked by `git-shell`
>         by default without further configuration.

FTR, this has been assigned CVE-2017-14867.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.