Bug 21774 - Git cvsserver OS Command Injection (CVE-2017-14867)
Summary: Git cvsserver OS Command Injection (CVE-2017-14867)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-09-27 01:57 CEST by David Walser
Modified: 2017-11-07 14:50 CET (History)
1 user (show)

See Also:
Source RPM: git-2.13.5-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-09-27 01:57:39 CEST
An advisory has been issued today (September 26):
http://openwall.com/lists/oss-security/2017/09/26/9

Updated packages uploaded for Mageia 6 and Cauldron.  Mageia 5 is not affected.

git-2.13.6-1.mga6
git-core-2.13.6-1.mga6
gitk-2.13.6-1.mga6
libgit-devel-2.13.6-1.mga6
git-svn-2.13.6-1.mga6
git-cvs-2.13.6-1.mga6
git-arch-2.13.6-1.mga6
git-email-2.13.6-1.mga6
perl-Git-2.13.6-1.mga6
perl-Git-SVN-2.13.6-1.mga6
git-core-oldies-2.13.6-1.mga6
gitweb-2.13.6-1.mga6
git-prompt-2.13.6-1.mga6

from git-2.13.6-1.mga6.src.rpm
Comment 1 David Walser 2017-09-29 12:05:03 CEST
Fedora has issued an advisory for this on September 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ODJU26XWYQUE2Z65OUK5EVPC74VRIAPM/
Comment 2 David Walser 2017-09-29 21:16:04 CEST
CVE-2017-14867 has been assigned for this:
http://openwall.com/lists/oss-security/2017/09/28/7

Summary: Git cvsserver OS Command Injection => Git cvsserver OS Command Injection (CVE-2017-14867)

Comment 3 Rémi Verschelde 2017-11-07 11:05:43 CET
Installed the update candidate and git works OK on my end. I haven't checked if there's a PoC to reproduce, but given that this update has been stalled for a month I think we can go ahead.

Whiteboard: (none) => MGA6-64-OK

Comment 4 Rémi Verschelde 2017-11-07 11:08:43 CET
Advisory uploaded as:

type: security
subject: Updated git packages fix security vulnerability
CVE:
 - CVE-2017-14867     
src:
  6:
   core:
     - git-2.13.6-1.mga6
description: |
  The `git` subcommand `cvsserver` is a Perl script which makes excessive
  use of the backtick operator to invoke `git`. Unfortunately user input
  is used within some of those invocations, which can be a OS Command
  Injection vulnerability (CVE-2017-14867).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=21774
 - http://openwall.com/lists/oss-security/2017/09/26/9

Whiteboard: MGA6-64-OK => MGA6-64-OK advisory

Rémi Verschelde 2017-11-07 11:09:01 CET

Whiteboard: MGA6-64-OK advisory => MGA6-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 5 Mageia Robot 2017-11-07 14:50:12 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0404.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.