Bug 1052481 - (CVE-2017-1000117) VUL-0: CVE-2017-1000117: git: client-side code execution via argument injection in SSH URLs, exploitable via submodules
(CVE-2017-1000117)
VUL-0: CVE-2017-1000117: git: client-side code execution via argument injecti...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/189670/
CVSSv2:SUSE:CVE-2017-12426:5.1:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-07 07:20 UTC by Andreas Stieger
Modified: 2019-05-01 13:52 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Andreas Stieger 2017-08-10 19:24:28 UTC
Public at http://marc.info/?l=git&m=150238802328673&w=2

The latest maintenance release Git v2.14.1 is now available at the
usual places, together with releases for older maintenance track for
the same issue: v2.7.6, v2.8.6, v2.9.5, v2.10.4, v2.11.3, v2.12.4,
and v2.13.5.

These contain a security fix for CVE-2017-1000117, and are released
in coordination with Subversion and Mercurial that share a similar
issue.  CVE-2017-9800 and CVE-2017-1000116 are assigned to these
systems, respectively, for issues similar to it that are now
addressed in their part of this coordinated release.

[...]

A malicious third-party can give a crafted "ssh://..." URL to an
unsuspecting victim, and an attempt to visit the URL can result in
any program that exists on the victim's machine being executed.
Such a URL could be placed in the .gitmodules file of a malicious
project, and an unsuspecting victim could be tricked into running
"git clone --recurse-submodules" to trigger the vulnerability.

Credits to find and fix the issue go to Brian Neel at GitLab, Joern
Schneeweisz of Recurity Labs and Jeff King at GitHub.

 * A "ssh://..." URL can result in a "ssh" command line with a
   hostname that begins with a dash "-", which would cause the "ssh"
   command to instead (mis)treat it as an option.  This is now
   prevented by forbidding such a hostname (which should not impact
   any real-world usage).

 * Similarly, when GIT_PROXY_COMMAND is configured, the command is
   run with host and port that are parsed out from "ssh://..." URL;
   a poorly written GIT_PROXY_COMMAND could be tricked into treating
   a string that begins with a dash "-" as an option.  This is now
   prevented by forbidding such a hostname and port number (again,
   which should not impact any real-world usage).

 * In the same spirit, a repository name that begins with a dash "-"
   is also forbidden now.
Comment 4 Bernhard Wiedemann 2017-08-10 20:01:03 UTC
This is an autogenerated message for OBS integration:
This bug (1052481) was mentioned in
https://build.opensuse.org/request/show/515991 Factory / git
https://build.opensuse.org/request/show/515992 42.3 / git
Comment 5 Takashi Iwai 2017-08-10 21:14:12 UTC
Submitted for Leap 42.2:Update via SR#515997.

For SLE12:Update via SR#137607.
Comment 7 Bernhard Wiedemann 2017-08-10 22:02:11 UTC
This is an autogenerated message for OBS integration:
This bug (1052481) was mentioned in
https://build.opensuse.org/request/show/515997 42.2 / git
Comment 8 Takashi Iwai 2017-08-11 09:04:55 UTC
The fix for SLE11-SP1 was submitted via SR#137662.
Comment 10 Takashi Iwai 2017-08-11 12:58:21 UTC
Reassigned back to security team.
Comment 13 Swamp Workflow Management 2017-08-16 22:09:00 UTC
openSUSE-SU-2017:2182-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1052481
CVE References: CVE-2017-1000117
Sources used:
openSUSE Leap 42.3 (src):    git-2.13.5-3.1
Comment 17 Swamp Workflow Management 2017-08-21 16:08:07 UTC
SUSE-SU-2017:2225-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1052481
CVE References: CVE-2017-1000117
Sources used:
SUSE Studio Onsite 1.3 (src):    git-1.7.12.4-0.18.3.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    git-1.7.12.4-0.18.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    git-1.7.12.4-0.18.3.1
Comment 18 Takashi Iwai 2017-08-22 15:14:35 UTC
Now reassigned back again to security team.
Comment 19 Swamp Workflow Management 2017-09-01 01:11:06 UTC
SUSE-SU-2017:2320-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1052481
CVE References: CVE-2017-1000117
Sources used:
SUSE OpenStack Cloud 6 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Server for SAP 12 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Server 12-SP3 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Server 12-SP2 (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    git-2.12.3-27.5.1
SUSE Linux Enterprise Server 12-LTSS (src):    git-2.12.3-27.5.1
SUSE Container as a Service Platform ALL (src):    git-2.12.3-27.5.1
OpenStack Cloud Magnum Orchestration 7 (src):    git-2.12.3-27.5.1
Comment 20 Andreas Stieger 2017-09-02 10:31:51 UTC
done
Comment 21 Swamp Workflow Management 2017-09-02 16:07:51 UTC
openSUSE-SU-2017:2331-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1052481
CVE References: CVE-2017-1000117
Sources used:
openSUSE Leap 42.2 (src):    git-2.12.3-5.10.1