Bug 1071709 - (CVE-2017-17459) VUL-0: CVE-2017-17459: fossil: client-side code execution via specially crafted ssh:// URL (ProxyCommand)
(CVE-2017-17459)
VUL-0: CVE-2017-17459: fossil: client-side code execution via specially craft...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2017-17459:9.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-07 10:50 UTC by Andreas Stieger
Modified: 2019-05-01 14:00 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-12-07 10:50:52 UTC
From https://www.fossil-scm.org/xfer/doc/trunk/www/changes.wiki

> Fix the "ssh://" protocol to prevent an attack whereby the attacker
> convinces a victim to run a "clone" with a dodgy URL and thereby gains
> access to their system.

From https://www.fossil-scm.org/xfer/info/1f63db591c77108c

> Fix the SSH sync protocol to avoid "ssh" command-line option injection
> attacks such as those fixed in Git 2.14.1, Mercurial 4.2.3, and Subversion 1.9.7.
> As "ssh://" URLs cannot be buried out of sight in Fossil, the vulnerability does
> not appear to be as severe as in those other systems

Fixed in 2.4

git: bug 1052481 CVE-2017-1000117
svn: bug 1051362 CVE-2017-9800
Comment 3 Andreas Stieger 2017-12-07 14:07:40 UTC
Original write-up on http://blog.recurity-labs.com/2017-08-10/scm-vulns
Comment 4 Andreas Stieger 2017-12-07 18:51:38 UTC
CVE-2017-17459 assigned for:

http_transport.c in Fossil before 2.4, when the SSH sync protocol is
used, allows user-assisted remote attackers to execute arbitrary commands via an ssh
URL with an initial dash character in the hostname, a related issue to
CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176,
CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.
Comment 5 Bernhard Wiedemann 2017-12-08 14:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1071709) was mentioned in
https://build.opensuse.org/request/show/555248 Factory / fossil
Comment 6 Swamp Workflow Management 2017-12-12 17:10:53 UTC
openSUSE-SU-2017:3271-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1071709
CVE References: CVE-2017-17459
Sources used:
openSUSE Leap 42.3 (src):    fossil-2.4-6.1
openSUSE Leap 42.2 (src):    fossil-2.4-5.6.1
Comment 7 Marcus Meissner 2017-12-18 07:59:04 UTC
released