Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/glsa-201709-10.xml
blob: 0cc40127fedf72e3f7552a3864cf5e38040d50be (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201709-10">
  <title>Git: Command injection</title>
  <synopsis>A command injection vulnerability in Git may allow remote attackers
    to execute arbitrary code.
  </synopsis>
  <product type="ebuild">git</product>
  <announced>2017-09-17</announced>
  <revised count="1">2017-09-17</revised>
  <bug>627488</bug>
  <access>remote</access>
  <affected>
    <package name="dev-vcs/git" auto="yes" arch="*">
      <unaffected range="ge">2.13.5</unaffected>
      <vulnerable range="lt">2.13.5</vulnerable>
    </package>
  </affected>
  <background>
    <p>Git is a small and fast distributed version control system designed to
      handle small and large projects.
    </p>
  </background>
  <description>
    <p>Specially crafted ‘ssh://...’ URLs may allow the owner of the
      repository to execute arbitrary commands on client’s machine if those
      commands are already installed on the client’s system. This is
      especially dangerous when the third-party repository has one or more
      submodules with specially crafted ‘ssh://...’ URLs. Each time the
      repository is recursively cloned or submodules are updated the payload
      will be triggered.
    </p>
  </description>
  <impact type="normal">
    <p>A remote attacker, by enticing a user to clone a specially crafted
      repository, could possibly execute arbitrary code with the privileges of
      the process.
    </p>
  </impact>
  <workaround>
    <p>There is no known workaround at this time.</p>
  </workaround>
  <resolution>
    <p>All Git users should upgrade to the latest version:</p>
    
    <code>
      # emerge --sync
      # emerge --ask --oneshot --verbose "&gt;=dev-vcs/git-2.13.5"
    </code>
  </resolution>
  <references>
    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000117">
      CVE-2017-1000117
    </uri>
    <uri link="https://marc.info/?l=git&amp;m=150238802328673&amp;w=2">Mailing
      list ARChives (MARC) Git Team Announce
    </uri>
  </references>
  <metadata tag="requester" timestamp="2017-09-08T23:46:38Z">b-man</metadata>
  <metadata tag="submitter" timestamp="2017-09-17T19:03:46Z">chrisadr</metadata>
</glsa>