Bugzilla – Bug 1071709
VUL-0: CVE-2017-17459: fossil: client-side code execution via specially crafted ssh:// URL (ProxyCommand)
Last modified: 2019-05-01 14:00:06 UTC
> Fix the "ssh://" protocol to prevent an attack whereby the attacker
> convinces a victim to run a "clone" with a dodgy URL and thereby gains
> access to their system.
> Fix the SSH sync protocol to avoid "ssh" command-line option injection
> attacks such as those fixed in Git 2.14.1, Mercurial 4.2.3, and Subversion 1.9.7.
> As "ssh://" URLs cannot be buried out of sight in Fossil, the vulnerability does
> not appear to be as severe as in those other systems
Fixed in 2.4
git: bug 1052481 CVE-2017-1000117
svn: bug 1051362 CVE-2017-9800
Original write-up on http://blog.recurity-labs.com/2017-08-10/scm-vulns
CVE-2017-17459 assigned for:
http_transport.c in Fossil before 2.4, when the SSH sync protocol is
used, allows user-assisted remote attackers to execute arbitrary commands via an ssh
URL with an initial dash character in the hostname, a related issue to
CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176,
CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
This is an autogenerated message for OBS integration:
This bug (1071709) was mentioned in
https://build.opensuse.org/request/show/555248 Factory / fossil
openSUSE-SU-2017:3271-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 1071709
CVE References: CVE-2017-17459
openSUSE Leap 42.3 (src): fossil-2.4-6.1
openSUSE Leap 42.2 (src): fossil-2.4-5.6.1