Bug 1071709 (CVE-2017-17459)

Summary: VUL-0: CVE-2017-17459: fossil: client-side code execution via specially crafted ssh:// URL (ProxyCommand)
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <astieger>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: max
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2017-17459:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv3:NVD:CVE-2017-17459:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-17459:6.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) CVSSv3:SUSE:CVE-2017-17459:7.5:(AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2017-12-07 10:50:52 UTC
From https://www.fossil-scm.org/xfer/doc/trunk/www/changes.wiki

> Fix the "ssh://" protocol to prevent an attack whereby the attacker
> convinces a victim to run a "clone" with a dodgy URL and thereby gains
> access to their system.

From https://www.fossil-scm.org/xfer/info/1f63db591c77108c

> Fix the SSH sync protocol to avoid "ssh" command-line option injection
> attacks such as those fixed in Git 2.14.1, Mercurial 4.2.3, and Subversion 1.9.7.
> As "ssh://" URLs cannot be buried out of sight in Fossil, the vulnerability does
> not appear to be as severe as in those other systems

Fixed in 2.4

git: bug 1052481 CVE-2017-1000117
svn: bug 1051362 CVE-2017-9800
Comment 3 Andreas Stieger 2017-12-07 14:07:40 UTC
Original write-up on http://blog.recurity-labs.com/2017-08-10/scm-vulns
Comment 4 Andreas Stieger 2017-12-07 18:51:38 UTC
CVE-2017-17459 assigned for:

http_transport.c in Fossil before 2.4, when the SSH sync protocol is
used, allows user-assisted remote attackers to execute arbitrary commands via an ssh
URL with an initial dash character in the hostname, a related issue to
CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176,
CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Comment 5 Bernhard Wiedemann 2017-12-08 14:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1071709) was mentioned in
https://build.opensuse.org/request/show/555248 Factory / fossil
Comment 6 Swamp Workflow Management 2017-12-12 17:10:53 UTC
openSUSE-SU-2017:3271-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1071709
CVE References: CVE-2017-17459
Sources used:
openSUSE Leap 42.3 (src):    fossil-2.4-6.1
openSUSE Leap 42.2 (src):    fossil-2.4-5.6.1
Comment 7 Marcus Meissner 2017-12-18 07:59:04 UTC