SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Git Vendors:   kernel.org
(CentOS Issues Fix) Git 'ssh://' URL Processing Flaw Lets Remote Users Execute Arbitrary Commands on the Target System
SecurityTracker Alert ID:  1039207
SecurityTracker URL:  http://securitytracker.com/id/1039207
CVE Reference:   CVE-2017-1000117   (Links to External Site)
Date:  Aug 18 2017
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Git. A remote user can execute arbitrary code on the target system.

A remote user (e.g., repository) can return a specially crafted 'ssh://' URL to execute arbitrary shell commands on the target user' system. The code will run with the privileges of the target user.

The vulnerability can be triggered during 'clone' commands.

The original advisory is available at:

http://blog.recurity-labs.com/2017-08-10/scm-vulns

Joern Schneeweisz of Recurity Labs reported this vulnerability.

Impact:   A remote user can execute arbitrary shell commands on the target system.
Solution:   CentOS has issued a fix.

i386:
c3d50bf1e6327e69adee222ded15d4416e6a45a0f5eef9a7338cda96c6a97f4f emacs-git-1.7.1-9.el6_9.noarch.rpm
7ec4e9e29cace79b9a1d8d6320817319aac603af77b8aad38c8c850e9a9d118b emacs-git-el-1.7.1-9.el6_9.noarch.rpm
91e909b4dbcc937198226d9664a7c9170f987f8c0d620e4cdeb8297202a745af git-1.7.1-9.el6_9.i686.rpm
77ca5f9cf10f412ba72e2ee6fc6be083b0281cfb4ad948523a79ae7a6c3a3955 git-all-1.7.1-9.el6_9.noarch.rpm
885ba5d4abd9b8d2f6a6cb860d3d1e724153048558e5f2fc8d58a5848e7f89bc git-cvs-1.7.1-9.el6_9.noarch.rpm
78bdf784c49d83d6a84406de5ff4c952646c15ed497a417f3a7e776b60aadd47 git-daemon-1.7.1-9.el6_9.i686.rpm
d5279c2b49e038f68a837de3b3e3f7876e7ff4e9d36bc0f0b9b6ec22a6c723ff git-email-1.7.1-9.el6_9.noarch.rpm
2f20e5ca6af534075d080bb629a82774f6f6d2981380ab68e5771d6a8daf5d1d git-gui-1.7.1-9.el6_9.noarch.rpm
f041ee76b09bf85c93f150e633b0f457a712ad9edacb0d3d9010e9b8767e3770 gitk-1.7.1-9.el6_9.noarch.rpm
ee5f9f0e3bc5d579bccf2708b84d07f54cee955efe9f8da0a32f187c9ffbb836 git-svn-1.7.1-9.el6_9.noarch.rpm
ed48d84b39f9c74b6e16434c28ad2e93333c9743a29a8a7712de3eba78accd84 gitweb-1.7.1-9.el6_9.noarch.rpm
db23d3712122cd544b0e33deab5bd654c1558906889ebc6ae8c44629e1cd2efa perl-Git-1.7.1-9.el6_9.noarch.rpm

x86_64:
c3d50bf1e6327e69adee222ded15d4416e6a45a0f5eef9a7338cda96c6a97f4f emacs-git-1.7.1-9.el6_9.noarch.rpm
7ec4e9e29cace79b9a1d8d6320817319aac603af77b8aad38c8c850e9a9d118b emacs-git-el-1.7.1-9.el6_9.noarch.rpm
fd0f5ec88f14342c35ac1b255a85a4676a498bf73e39142028970e157eea58a9 git-1.7.1-9.el6_9.x86_64.rpm
77ca5f9cf10f412ba72e2ee6fc6be083b0281cfb4ad948523a79ae7a6c3a3955 git-all-1.7.1-9.el6_9.noarch.rpm
885ba5d4abd9b8d2f6a6cb860d3d1e724153048558e5f2fc8d58a5848e7f89bc git-cvs-1.7.1-9.el6_9.noarch.rpm
146ed31a8e45fb06a546c0483dfe144dac5c5c3971d793c6570ed3599663dba5 git-daemon-1.7.1-9.el6_9.x86_64.rpm
d5279c2b49e038f68a837de3b3e3f7876e7ff4e9d36bc0f0b9b6ec22a6c723ff git-email-1.7.1-9.el6_9.noarch.rpm
2f20e5ca6af534075d080bb629a82774f6f6d2981380ab68e5771d6a8daf5d1d git-gui-1.7.1-9.el6_9.noarch.rpm
f041ee76b09bf85c93f150e633b0f457a712ad9edacb0d3d9010e9b8767e3770 gitk-1.7.1-9.el6_9.noarch.rpm
ee5f9f0e3bc5d579bccf2708b84d07f54cee955efe9f8da0a32f187c9ffbb836 git-svn-1.7.1-9.el6_9.noarch.rpm
ed48d84b39f9c74b6e16434c28ad2e93333c9743a29a8a7712de3eba78accd84 gitweb-1.7.1-9.el6_9.noarch.rpm
db23d3712122cd544b0e33deab5bd654c1558906889ebc6ae8c44629e1cd2efa perl-Git-1.7.1-9.el6_9.noarch.rpm

Source:
74f8d2e2bf749caf808e0246164c0c453aa7a09a917ce439764b8588d767c69b git-1.7.1-9.el6_9.src.rpm

Cause:   Input validation error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6

Message History:   This archive entry is a follow-up to the message listed below.
Aug 11 2017 Git 'ssh://' URL Processing Flaw Lets Remote Users Execute Arbitrary Commands on the Target System



 Source Message Contents

Subject:  [CentOS-announce] CESA-2017:2485 Important CentOS 6 git Security Update


CentOS Errata and Security Advisory 2017:2485 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2017:2485

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
c3d50bf1e6327e69adee222ded15d4416e6a45a0f5eef9a7338cda96c6a97f4f  emacs-git-1.7.1-9.el6_9.noarch.rpm
7ec4e9e29cace79b9a1d8d6320817319aac603af77b8aad38c8c850e9a9d118b  emacs-git-el-1.7.1-9.el6_9.noarch.rpm
91e909b4dbcc937198226d9664a7c9170f987f8c0d620e4cdeb8297202a745af  git-1.7.1-9.el6_9.i686.rpm
77ca5f9cf10f412ba72e2ee6fc6be083b0281cfb4ad948523a79ae7a6c3a3955  git-all-1.7.1-9.el6_9.noarch.rpm
885ba5d4abd9b8d2f6a6cb860d3d1e724153048558e5f2fc8d58a5848e7f89bc  git-cvs-1.7.1-9.el6_9.noarch.rpm
78bdf784c49d83d6a84406de5ff4c952646c15ed497a417f3a7e776b60aadd47  git-daemon-1.7.1-9.el6_9.i686.rpm
d5279c2b49e038f68a837de3b3e3f7876e7ff4e9d36bc0f0b9b6ec22a6c723ff  git-email-1.7.1-9.el6_9.noarch.rpm
2f20e5ca6af534075d080bb629a82774f6f6d2981380ab68e5771d6a8daf5d1d  git-gui-1.7.1-9.el6_9.noarch.rpm
f041ee76b09bf85c93f150e633b0f457a712ad9edacb0d3d9010e9b8767e3770  gitk-1.7.1-9.el6_9.noarch.rpm
ee5f9f0e3bc5d579bccf2708b84d07f54cee955efe9f8da0a32f187c9ffbb836  git-svn-1.7.1-9.el6_9.noarch.rpm
ed48d84b39f9c74b6e16434c28ad2e93333c9743a29a8a7712de3eba78accd84  gitweb-1.7.1-9.el6_9.noarch.rpm
db23d3712122cd544b0e33deab5bd654c1558906889ebc6ae8c44629e1cd2efa  perl-Git-1.7.1-9.el6_9.noarch.rpm

x86_64:
c3d50bf1e6327e69adee222ded15d4416e6a45a0f5eef9a7338cda96c6a97f4f  emacs-git-1.7.1-9.el6_9.noarch.rpm
7ec4e9e29cace79b9a1d8d6320817319aac603af77b8aad38c8c850e9a9d118b  emacs-git-el-1.7.1-9.el6_9.noarch.rpm
fd0f5ec88f14342c35ac1b255a85a4676a498bf73e39142028970e157eea58a9  git-1.7.1-9.el6_9.x86_64.rpm
77ca5f9cf10f412ba72e2ee6fc6be083b0281cfb4ad948523a79ae7a6c3a3955  git-all-1.7.1-9.el6_9.noarch.rpm
885ba5d4abd9b8d2f6a6cb860d3d1e724153048558e5f2fc8d58a5848e7f89bc  git-cvs-1.7.1-9.el6_9.noarch.rpm
146ed31a8e45fb06a546c0483dfe144dac5c5c3971d793c6570ed3599663dba5  git-daemon-1.7.1-9.el6_9.x86_64.rpm
d5279c2b49e038f68a837de3b3e3f7876e7ff4e9d36bc0f0b9b6ec22a6c723ff  git-email-1.7.1-9.el6_9.noarch.rpm
2f20e5ca6af534075d080bb629a82774f6f6d2981380ab68e5771d6a8daf5d1d  git-gui-1.7.1-9.el6_9.noarch.rpm
f041ee76b09bf85c93f150e633b0f457a712ad9edacb0d3d9010e9b8767e3770  gitk-1.7.1-9.el6_9.noarch.rpm
ee5f9f0e3bc5d579bccf2708b84d07f54cee955efe9f8da0a32f187c9ffbb836  git-svn-1.7.1-9.el6_9.noarch.rpm
ed48d84b39f9c74b6e16434c28ad2e93333c9743a29a8a7712de3eba78accd84  gitweb-1.7.1-9.el6_9.noarch.rpm
db23d3712122cd544b0e33deab5bd654c1558906889ebc6ae8c44629e1cd2efa  perl-Git-1.7.1-9.el6_9.noarch.rpm

Source:
74f8d2e2bf749caf808e0246164c0c453aa7a09a917ce439764b8588d767c69b  git-1.7.1-9.el6_9.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC