Date: Thu, 28 Sep 2017 16:53:02 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Advisory: Git cvsserver OS Command Injection Hi On Tue, Sep 26, 2017 at 11:03:49AM +0200, joernchen wrote: > Hi, > > > see attached advisory. > > Cheers, > > joernchen > -- > joernchen ~ Phenoelit > <joernchen@...noelit.de> ~ C776 3F67 7B95 03BF 5344 > http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC > Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++---> > > [ Authors ] > joernchen <joernchen () phenoelit de> > > Phenoelit Group (http://www.phenoelit.de) > > [ Affected Products ] > Git before 2.14.2, 2.13.6, 2.12.5, 2.11.4 and 2.10.5 (git-cvsserver) > https://git-scm.com > > [ Vendor communication ] > 2017-09-08 Sent vulnerability details to the git-security list > 2017-09-09 Acknowledgement of the issue, git maintainers ask if > a patch could be provided > 2017-09-10 Patch is provided > 2017-09-11 Further backtick operations are patched by the git > maintainers, corrections on the provided patch > 2017-09-11 Revised patch is sent out > 2017-09-11 Jeff King proposes to drop `git-cvsserver`'s default > invocation from `git-shell` > 2017-09-22 Draft release for git 2.14.2 is created including the > fixes > 2017-09-26 Release of this advisory, release of fixed git versions > > [ Description ] > The `git` subcommand `cvsserver` is a Perl script which makes excessive > use of the backtick operator to invoke `git`. Unfortunately user input > is used within some of those invocations. > > > It should be noted, that `git-cvsserver` will be invoked by `git-shell` > by default without further configuration. FTR, this has been assigned CVE-2017-14867. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ