Commit 115585df authored by Antoine Beaupré's avatar Antoine Beaupré

(stable) fix dashed ssh hostname issue CVE-2017-12976

Security fix: Disallow hostname starting with a dash, which would get
passed to ssh and be treated an option. This could be used by an attacker
who provides a crafted ssh url (for eg a git remote) to execute arbitrary
code via ssh -oProxyCommand.

The same class of security hole recently affected git itself,
CVE-2017-1000117.

Method: Identified all places where ssh is run, by git grep '"ssh"'
Converted them all to use a SshHost, if they did not already, for
specifying the hostname.

SshHost was made a data type with a smart constructor, which rejects
hostnames starting with '-'.

Note that git-annex already contains extensive use of Utility.SafeCommand,
which fixes a similar class of problem where a filename starting with a
dash gets passed to a program which treats it as an option.

This was backported by Antoine Beaupré, from the upstream stable patch
provided by Joey Hess.
parent d6c001b3
git-annex (6.20170101-1+deb9u1) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to
execute arbitrary commands via an ssh URL with an initial dash
character in the hostname, as demonstrated by an ssh://-eProxyCommand=
URL (Closes: #873088)
-- Antoine Beaupré <anarcat@debian.org> Thu, 26 Oct 2017 10:28:29 -0400
git-annex (6.20170101-1) unstable; urgency=medium
* Package 6.20170101-1
......
This diff is collapsed.
CVE-2017-12976.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment