Bug 20827 - git security vulnerability CVE-2017-8386
Summary: git security vulnerability CVE-2017-8386
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://www.linuxsecurity.com/content/...
Whiteboard: advisory
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-11 08:23 CEST by Zombie Ryushu
Modified: 2017-05-21 03:06 CEST (History)
4 users (show)

See Also:
Source RPM: git
CVE:
Status comment:


Attachments

Description Zombie Ryushu 2017-05-11 08:23:17 CEST
Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
login shell for Git-only SSH access, allows a user to run an interactive
pager by causing it to spawn "git upload-pack --help".
Comment 1 Stig-Ørjan Smelror 2017-05-11 12:09:34 CEST
(In reply to Zombie Ryushu from comment #0)
> Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
> login shell for Git-only SSH access, allows a user to run an interactive
> pager by causing it to spawn "git upload-pack --help".

Is this vulnerability present in the recent 2.13.0?
Comment 2 Marja van Waes 2017-05-11 13:38:51 CEST
(In reply to Stig-Ørjan Smelror from comment #1)
> (In reply to Zombie Ryushu from comment #0)
> > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
> > login shell for Git-only SSH access, allows a user to run an interactive
> > pager by causing it to spawn "git upload-pack --help".
> 
> Is this vulnerability present in the recent 2.13.0?

It got fixed
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.0.txt

Changing component to Security and assigning to the registered maintainer.


(The CVE is still reserved, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 )
Comment 3 Shlomi Fish 2017-05-11 19:54:10 CEST
(In reply to Marja van Waes from comment #2)
> (In reply to Stig-Ørjan Smelror from comment #1)
> > (In reply to Zombie Ryushu from comment #0)
> > > Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted
> > > login shell for Git-only SSH access, allows a user to run an interactive
> > > pager by causing it to spawn "git upload-pack --help".
> > 
> > Is this vulnerability present in the recent 2.13.0?
> 
> It got fixed
> https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.13.
> 0.txt
> 
> Changing component to Security and assigning to the registered maintainer.
> 
> 
> (The CVE is still reserved,
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386 )

git-2.13.0 was pushed to Cauldron. Can I upgrade it to 2.13.0 on mageia v5 as well?
Comment 4 David Walser 2017-05-13 19:02:57 CEST
Link to the actual Debian advisory from May 10:
https://www.debian.org/security/2017/dsa-3848

They backported a patch, so we may be able to use it for Mageia 5.
Comment 5 Shlomi Fish 2017-05-13 21:06:52 CEST
(In reply to David Walser from comment #4)
> Link to the actual Debian advisory from May 10:
> https://www.debian.org/security/2017/dsa-3848
> 
> They backported a patch, so we may be able to use it for Mageia 5.

Thanks, David!

I built a new git-2.7.4-1.1mga5 package for mageia 5 core/updates_testing. Assigning to QA for testing. We also need to write an advisory.
Comment 6 David Walser 2017-05-13 21:10:39 CEST
Thanks Shlomi!

Advisory:
========================

Updated git packages fix security vulnerability:

Timo Schmid of ERNW GmbH discovered that the Git git-shell, a restricted login
shell for Git-only SSH access, allows a user to run an interactive pager by
causing it to spawn "git upload-pack --help" (CVE-2017-8386).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8386
https://www.debian.org/security/2017/dsa-3848
========================

Updated packages in core/updates_testing:
========================
git-2.7.4-1.1.mga5
git-core-2.7.4-1.1.mga5
gitk-2.7.4-1.1.mga5
gitview-2.7.4-1.1.mga5
libgit-devel-2.7.4-1.1.mga5
git-svn-2.7.4-1.1.mga5
git-cvs-2.7.4-1.1.mga5
git-arch-2.7.4-1.1.mga5
git-email-2.7.4-1.1.mga5
perl-Git-2.7.4-1.1.mga5
git-core-oldies-2.7.4-1.1.mga5
gitweb-2.7.4-1.1.mga5
git-prompt-2.7.4-1.1.mga5

from git-2.7.4-1.1.mga5.src.rpm

Note You need to log in before you can comment on or make changes to this bug.