Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > gnu.cvs.bug > #213

Re: CVS and ssh command injection (see CVE-2017-1000117, etc.)

From Thorsten Glaser <tg@mirbsd.de>
Newsgroups gnu.cvs.bug
Subject Re: CVS and ssh command injection (see CVE-2017-1000117, etc.)
Date 2017-08-13 21:49 +0000
Message-ID <mailman.13082.1502694789.21957.bug-cvs@nongnu.org> (permalink)
References <20170810220037.de2c6297-477f-4954-a93d-aa7b6e300ca8@korelogic.com>

Show all headers | View raw

Hank Leininger dixit:

>Of course, the repo specification looks very odd, so tricking a victim
>may be harder than for SCM tools where it's prefixed by an ssh://, or

It’s also immediately obvious and quite hard to exploit at all, I agree.

>  https://marc.info/?l=oss-security&m=150241876103454&w=2

This was forwarded to me via Debian, and I fixed it in MirBSD and Debian
and wrote about it, publishing a patch:

http://www.mirbsd.org/permalinks/wlog-10_e20170811-tg.htm

Incidentally, CVS has too many mailing lists, I’m subscribed on some,
but not this one (I prefer having one list only, plus one for commits,
I’ve not fully taken over CVS upstream yet, though). But if you have
to deal with CVS again, feel free to Cc me or so.

Thanks,
//mirabilos
-- 
13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs
13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you
13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺
16:06⎜<Draget:#cvs> Thank god I found you =)   20:03│«bioe007:#cvs» mira2k: ty
17:14⎜<ldiain:#cvs> Thanks big help you are :-)   <bioe007> mira|nwt: ty again
18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o
18:36⎜«ThunderChicken:#cvs» mirabilos FTW!  23:03⎜«mithraic:#cvs» aaah. thanks
18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-)
18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that
21:57⎜<bhuey:#cvs> yeah, I really appreciate help
18:50⎜«grndlvl:#cvs» thankyou            18:50⎜«grndlvl:#cvs» worked perfectly
20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support
00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx
18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD.     18:59⎜«arcfide:#cvs»
Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help.
21:33⎜«CardinalFang:#cvs» Ugh.  Okay.  Sorry for the dumb question.  Thank you
21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet
21:52⎜«garrett__:#cvs» much appreciated  «garrett__:#cvs» thanks for your time
23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok
thx, i'll try that     20:00⎜«stableable:#cvs» Thank you.    20:50⎜«s833:#cvs»
mirabilos: thanks a lot.        19:34⎜<bobbytek:#cvs> Thanks for confirming :)
20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos

Back to gnu.cvs.bug | Previous | Next | Find similar

Thread

Re: CVS and ssh command injection (see CVE-2017-1000117, etc.) Thorsten Glaser <tg@mirbsd.de> - 2017-08-13 21:49 +0000

csiph-web