Name | CVE-2017-12976 |
Description | git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-1144-1, DLA-1495-1, DSA-4010-1 |
Debian Bugs | 873088 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
git-annex (PTS) | bullseye | 8.20210223-2 | fixed |
bookworm | 10.20230126-3 | fixed | |
trixie | 10.20240927-1 | fixed | |
sid | 10.20241031-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
git-annex | source | wheezy | 3.20120629+deb7u1 | DLA-1144-1 | ||
git-annex | source | jessie | 5.20141125+oops-1+deb8u2 | DLA-1495-1 | ||
git-annex | source | stretch | 6.20170101-1+deb9u1 | DSA-4010-1 | ||
git-annex | source | (unstable) | 6.20170818-1 | 873088 |
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a
http://source.git-annex.branchable.com/?p=source.git;a=blob;f=doc/bugs/dashed_ssh_hostname_security_hole.mdwn
jessie patch: https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
stretch patch: https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
This is similar class of issue as for CVE-2017-1000117/git