Bug 21774

Summary: Git cvsserver OS Command Injection (CVE-2017-14867)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: git-2.13.5-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-09-27 01:57:39 CEST 
An advisory has been issued today (September 26):
http://openwall.com/lists/oss-security/2017/09/26/9

Updated packages uploaded for Mageia 6 and Cauldron.  Mageia 5 is not affected.

git-2.13.6-1.mga6
git-core-2.13.6-1.mga6
gitk-2.13.6-1.mga6
libgit-devel-2.13.6-1.mga6
git-svn-2.13.6-1.mga6
git-cvs-2.13.6-1.mga6
git-arch-2.13.6-1.mga6
git-email-2.13.6-1.mga6
perl-Git-2.13.6-1.mga6
perl-Git-SVN-2.13.6-1.mga6
git-core-oldies-2.13.6-1.mga6
gitweb-2.13.6-1.mga6
git-prompt-2.13.6-1.mga6

from git-2.13.6-1.mga6.src.rpm
Comment 1 David Walser 2017-09-29 12:05:03 CEST 
Fedora has issued an advisory for this on September 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ODJU26XWYQUE2Z65OUK5EVPC74VRIAPM/
Comment 2 David Walser 2017-09-29 21:16:04 CEST 
CVE-2017-14867 has been assigned for this:
http://openwall.com/lists/oss-security/2017/09/28/7

Summary: Git cvsserver OS Command Injection => Git cvsserver OS Command Injection (CVE-2017-14867)

Comment 3 Rémi Verschelde 2017-11-07 11:05:43 CET 
Installed the update candidate and git works OK on my end. I haven't checked if there's a PoC to reproduce, but given that this update has been stalled for a month I think we can go ahead.

Whiteboard: (none) => MGA6-64-OK

Comment 4 Rémi Verschelde 2017-11-07 11:08:43 CET 
Advisory uploaded as:

type: security
subject: Updated git packages fix security vulnerability
CVE:
 - CVE-2017-14867     
src:
  6:
   core:
     - git-2.13.6-1.mga6
description: |
  The `git` subcommand `cvsserver` is a Perl script which makes excessive
  use of the backtick operator to invoke `git`. Unfortunately user input
  is used within some of those invocations, which can be a OS Command
  Injection vulnerability (CVE-2017-14867).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=21774
 - http://openwall.com/lists/oss-security/2017/09/26/9

Whiteboard: MGA6-64-OK => MGA6-64-OK advisory

Rémi Verschelde 2017-11-07 11:09:01 CET

Whiteboard: MGA6-64-OK advisory => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-11-07 14:50:12 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0404.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED