Bug 45235 - git: Multiple issues (4.2)
git: Multiple issues (4.2)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 minor (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
Depends on:
Blocks: 37396
  Show dependency treegraph
Reported: 2017-08-21 16:08 CEST by Arvid Requate
Modified: 2018-05-08 14:56 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-08-21 16:08:36 CEST
Upstream Debian package version 1:2.1.4-2.1+deb8u4 fixes:

* Command injection via malicious ssh URLs (CVE-2017-1000117)
Comment 1 Arvid Requate univentionstaff 2017-10-30 17:04:40 CET
1:2.1.4-2.1+deb8u5 fixes:

* the git-cvsserver subcommand of Git, a distributed version control system, suffers from a shell command injection vulnerability due to unsafe use of the Perl backtick operator.  The git-cvsserver subcommand is reachable from the git-shell subcommand even if CVS support has not been configured (however, the git-cvs package needs to be installed) (CVE-2017-14867)
Comment 2 Philipp Hahn univentionstaff 2018-01-25 10:59:32 CET
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 3 Quality Assurance univentionstaff 2018-05-04 16:55:42 CEST
--- mirror/ftp/4.2/unmaintained/4.2-2/source/git_2.1.4-2.1+deb8u3.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/git_2.1.4-2.1+deb8u5.dsc
@@ -1,3 +1,31 @@
+1:2.1.4-2.1+deb8u5 [Mon, 25 Sep 2017 12:12:03 -0700] Jonathan Nieder <jrnieder@gmail.com>:
+  * Fix remote shell command execution via CVS protocol:
+    - git-shell: drop cvsserver support by default
+    - git-cvsserver: harden backtick captures against user input
+  * Avoid shell command injection in other commands as well:
+    - git-cvsimport: harden backtick captures against user input
+    - git-archimport: harden backtick captures against user input
+  Thanks to joernchen of Phenoelit for discovering, reporting, and
+  fixing this vulnerability, and to Junio C Hamano and Jeff King for
+  the fixes to related issues.
+1:2.1.4-2.1+deb8u4 [Wed, 09 Aug 2017 23:30:50 -0700] Jonathan Nieder <jrnieder@gmail.com>:
+  * Fix CVE-2017-1000117, arbitrary code execution issues via URLs:
+    - reject ssh hostname that begins with a dash
+    - add test for hostname starting with dash to the testsuite
+    - factor out "looks like command line option" check
+    - reject dashed arguments to $GIT_PROXY_COMMAND
+    - ssh:// and local URLs: reject path to repositories that look
+      like command line options
+    Thanks to Joern Schneeweisz of Recurity Labs for discovering this
+    vulnerability, Brian Neel at GitLab for reporting it to the Git
+    project, and Junio Hamano and Jeff King for writing the patches to
+    address it.
 1:2.1.4-2.1+deb8u3 [Tue, 09 May 2017 16:18:46 -0700] Jonathan Nieder <jrnieder@gmail.com>:
   * Do not allow git helpers run via git-shell to launch a pager
Comment 4 Arvid Requate univentionstaff 2018-05-07 12:35:43 CEST
* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory Ok
Comment 5 Arvid Requate univentionstaff 2018-05-08 14:56:30 CEST