CVE-2017-12976

NameCVE-2017-12976
Descriptiongit-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1144-1, DSA-4010-1
NVD severitymedium (attack range: remote)
Debian Bugs873088

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git-annex (PTS)wheezy3.20120629vulnerable
wheezy (security)3.20120629+deb7u1fixed
jessie5.20141125vulnerable
jessie (security)5.20141125+deb8u1fixed
stretch6.20170101-1vulnerable
stretch (security)6.20170101-1+deb9u1fixed
buster, sid6.20170818-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
git-annexsource(unstable)6.20170818-1medium873088
git-annexsourcejessie5.20141125+deb8u1mediumDSA-4010-1
git-annexsourcestretch6.20170101-1+deb9u1mediumDSA-4010-1
git-annexsourcewheezy3.20120629+deb7u1mediumDLA-1144-1

Notes

http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a
http://source.git-annex.branchable.com/?p=source.git;a=blob;f=doc/bugs/dashed_ssh_hostname_security_hole.mdwn
jessie patch: https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
stretch patch: https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
This is similar class of issue as for CVE-2017-1000117/git

Search for package or bug name: Reporting problems