CVE-2017-12976

NameCVE-2017-12976
Descriptiongit-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1144-1, DLA-1495-1, DSA-4010-1
Debian Bugs873088

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git-annex (PTS)bullseye8.20210223-2fixed
bookworm10.20230126-3fixed
trixie10.20240927-1fixed
sid10.20241031-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
git-annexsourcewheezy3.20120629+deb7u1DLA-1144-1
git-annexsourcejessie5.20141125+oops-1+deb8u2DLA-1495-1
git-annexsourcestretch6.20170101-1+deb9u1DSA-4010-1
git-annexsource(unstable)6.20170818-1873088

Notes

http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a
http://source.git-annex.branchable.com/?p=source.git;a=blob;f=doc/bugs/dashed_ssh_hostname_security_hole.mdwn
jessie patch: https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
stretch patch: https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
This is similar class of issue as for CVE-2017-1000117/git

Search for package or bug name: Reporting problems