CLD-58 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
git |
Deficiency Type |
SECURITY |
Date Created |
2017-09-29 08:40:20 |
Date Last Modified |
2017-09-29 08:52:38 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in git-2.10.5-i686-1 |
Cucumber 1.0 x86_64 | fixed in git-2.10.5-x86_64-1 |
Cucumber 1.1 i686 |
fixed in git-2.10.5-i686-1 |
Cucumber 1.1 x86_64 |
fixed in git-2.10.5-x86_64-1 |
Details:
This vulnerability was originally reported by the Debian project as DSA-3984-1.
Original Report (from https://www.debian.org/security/2017/dsa-3984):
joernchen discovered that the git-cvsserver subcommand of Git, a
distributed version control system, suffers from a shell command
injection vulnerability due to unsafe use of the Perl backtick
operator. The git-cvsserver subcommand is reachable from the
git-shell subcommand even if CVS support has not been configured
(however, the git-cvs package needs to be installed).
In addition to fixing the actual bug, this update removes the
cvsserver subcommand from git-shell by default. Refer to the updated
documentation for instructions how to reenable in case this CVS
functionality is still needed.
From the NVD (https://nvd.nist.gov/vuln/detail/CVE-2017-14867):
Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before
2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands
such as cvsserver, which allows attackers to execute arbitrary OS commands via
shell metacharacters in a module name. The vulnerable code is reachable via
git-shell even without CVS support.