| Name | CVE-2017-12976 |
| Description | git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1144-1, DLA-1495-1, DSA-4010-1 |
| Debian Bugs | 873088 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| git-annex (PTS) | bullseye | 8.20210223-2 | fixed |
| bookworm | 10.20230126-3 | fixed | |
| trixie | 10.20240927-1 | fixed | |
| sid | 10.20241031-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| git-annex | source | wheezy | 3.20120629+deb7u1 | DLA-1144-1 | ||
| git-annex | source | jessie | 5.20141125+oops-1+deb8u2 | DLA-1495-1 | ||
| git-annex | source | stretch | 6.20170101-1+deb9u1 | DSA-4010-1 | ||
| git-annex | source | (unstable) | 6.20170818-1 | 873088 |
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471
http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a
http://source.git-annex.branchable.com/?p=source.git;a=blob;f=doc/bugs/dashed_ssh_hostname_security_hole.mdwn
jessie patch: https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
stretch patch: https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
This is similar class of issue as for CVE-2017-1000117/git