CLD-58 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-14867 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) DSA-3984-1

Basic Information:

Affected Package(s) git
Deficiency Type SECURITY
Date Created 2017-09-29 08:40:20
Date Last Modified 2017-09-29 08:52:38

Version Specific Information:

Cucumber 1.0 i686 fixed in git-2.10.5-i686-1
Cucumber 1.0 x86_64 fixed in git-2.10.5-x86_64-1

Cucumber 1.1 i686 fixed in git-2.10.5-i686-1
Cucumber 1.1 x86_64 fixed in git-2.10.5-x86_64-1

Details:

This vulnerability was originally reported by the Debian project as DSA-3984-1.
Original Report (from https://www.debian.org/security/2017/dsa-3984):

joernchen discovered that the git-cvsserver subcommand of Git, a
distributed version control system, suffers from a shell command
injection vulnerability due to unsafe use of the Perl backtick
operator.  The git-cvsserver subcommand is reachable from the
git-shell subcommand even if CVS support has not been configured
(however, the git-cvs package needs to be installed).

In addition to fixing the actual bug, this update removes the
cvsserver subcommand from git-shell by default.  Refer to the updated
documentation for instructions how to reenable in case this CVS
functionality is still needed.

From the NVD (https://nvd.nist.gov/vuln/detail/CVE-2017-14867):

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before
2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands
such as cvsserver, which allows attackers to execute arbitrary OS commands via
shell metacharacters in a module name. The vulnerable code is reachable via
git-shell even without CVS support.