Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1496344 - (CVE-2017-14867) CVE-2017-14867 git: cvsserver command injection
CVE-2017-14867 git: cvsserver command injection
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170926,repor...
: Security
Depends On: 1496345
Blocks: 1496346
  Show dependency treegraph
 
Reported: 2017-09-27 02:52 EDT by Andrej Nemec
Modified: 2018-05-10 14:22 EDT (History)
47 users (show)

See Also:
Fixed In Version: git 2.10.5, git 2.11.4, git 2.12.5, git 2.13.6
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
git 2.10.4 to 2.10.5 diff (16.48 KB, patch)
2017-10-05 05:47 EDT, Stefan Cornelius 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2017-09-27 02:52:14 EDT 
The `git` subcommand `cvsserver` is a Perl script which makes excessive use of the backtick operator to invoke `git`. User input is used within some of those invocations. This potentially allows a local attacker to execute arbitrary code.

It should be noted, that `git-cvsserver` will be invoked by `git-shell` by default without further configuration.

References:

http://seclists.org/oss-sec/2017/q3/534
https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/
Comment 1 Andrej Nemec 2017-09-27 02:53:08 EDT 
Created git tracking bugs for this issue:

Affects: openshift-1 [bug 1496345]
Comment 2 Todd Zullinger 2017-09-27 11:53:34 EDT 
For systems to be vulnerable to the attack documented in http://seclists.org/oss-sec/2017/q3/att-534/git_cvsserver.txt the git-cvs package must be installed.  Most modern git servers will not need git-cvs and could remove it to mitigate the vulnerability.
Comment 3 Todd Zullinger 2017-09-28 11:38:07 EDT 
This issue has now been assigned CVE-2017-14867, as noted in http://seclists.org/oss-sec/2017/q3/568.
Comment 4 Stefan Cornelius 2017-10-05 05:47 EDT 
Created attachment 1334729 [details]
git 2.10.4 to 2.10.5 diff

Diff of 2.10.4 to 2.10.5. Linking individual commits is a bit messy in this case, so this seems to be the next best option.
Comment 6 Stefan Cornelius 2017-10-05 07:15:45 EDT 
Mitigation:

In case you do not rely on the commands offered by the "-cvs" subpackage (for example "git cvsserver" or "git cvsimport") on RHEL or RHSCL, you can uninstall the git "-cvs" subpackage.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.