CVE-2017-1000116: Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

CVE-2017-16228 [CRITICAL] CWE-20 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution python-dulwich: Setting SSH arguments from untrusted URLs allows code execution Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117. Package: python-dulwich (Red Hat OpenStack Platform 11 (Ocata)) - Will not fix

CVE-2017-14176 [CRITICAL] CWE-77 bzr: does not strip bzr+ssh SSH options bzr: does not strip bzr+ssh SSH options Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117. Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Package: bzr (Red Hat Enterprise Linux 6) - Will not fix Package: bzr (Red Hat Enterprise Linux 7) - Will not fix

CVE-2017-1000116 [CRITICAL] CWE-20 mercurial: command injection on clients through malicious ssh URLs mercurial: command injection on clients through malicious ssh URLs Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. A shell command injection flaw related to the handling of "ssh" URLs has been discovered in Mercurial. This can be exploited to execute shell commands with the privileges of the user running the Mercurial client, for example, when performing a "checkout" or "update" action on a sub-repository within a malicious repository or a legitimate repository containing a malicious commit. Package: mercurial (Red Hat Enterprise Linux 6) - Will not fix

CVE-2017-16228 [CRITICAL] CVE-2017-16228: dulwich - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers t... Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117. Scope: local bookworm: resolved (fixed in 0.18.5-1) bullseye: resolved (fixed in 0.18.5-1) forky: resolved (fixed in 0.18.5-1) sid: resolved (fixed in 0.18.5-1) trixie: resolved (fixed in 0.18.5-1)

CVE-2017-14176 [CRITICAL] CVE-2017-14176: breezy - Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to ex... Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117. Scope: local bookworm: resolved (fixed in 3.0.0~bzr6772-1) bullseye: resolved (fixed in 3.0.0~bzr6772-1) forky: resolved (fixed in 3.0.0~bzr6772-1) sid: resolved (fixed in 3.0.0~bzr6772-1) trixie: resolved (fixed in 3.0.0~bzr6772-1)

CVE-2017-17459 [CRITICAL] CVE-2017-17459: fossil - http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allow... http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117. Scope: local bookworm: resolved (fixed in 1:2.4-1) bullseye: resolved (fixed in 1:2.4-1) sid: resolved (fixed in 1:2.4-1) trixie: resolved (fixed in 1:2.4-1)

CVE-2017-1000116 [CRITICAL] CVE-2017-1000116: mercurial - Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, lead... Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks. Scope: local bookworm: resolved (fixed in 4.3.1-1) bullseye: resolved (fixed in 4.3.1-1) forky: resolved (fixed in 4.3.1-1) sid: resolved (fixed in 4.3.1-1) trixie: resolved (fixed in 4.3.1-1)

CVE-2017-12976 [CRITICAL] CVE-2017-12976: git-annex - git-annex before 6.20170818 allows remote attackers to execute arbitrary command... git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117. Scope: local bookworm: resolved (fixed in 6.20170818-1) bullseye: resolved (fixed in 6.20170818-1) forky: resolved (fixed in 6.20170818-1) sid: resolved (fixed in 6.20170818-1) trixie: resolved (fixed in 6.20170818-1)

CVE-2017-12976 [CRITICAL] CWE-20 GHSA-jqcx-qqvc-9wx5: git-annex before 6 git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-14176 [CRITICAL] GHSA-jjxg-hpm7-g95f: Bazaar through 2 Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-1000116 [CRITICAL] Mercurial is vulnerable to shell injection attack Mercurial is vulnerable to shell injection attack Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

CVE-2017-17459 [CRITICAL] GHSA-ff3p-f5xw-q723: http_transport http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability Dulwich RCE Vulnerability Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-16228 [CRITICAL] Dulwich RCE Vulnerability Dulwich RCE Vulnerability Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-14176 [CRITICAL] Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname Bazaar allows remote attackers to execute arbitrary commands via a bzr+ssh URL with initial dash character in hostname Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-1000116 [CRITICAL] CWE-78 Mercurial is vulnerable to shell injection attack Mercurial is vulnerable to shell injection attack Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

CVE-2017-17459 [CRITICAL] CVE-2017-17459: http_transport http_transport.c in Fossil before 2.4, when the SSH sync protocol is used, allows user-assisted remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-14176, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-14176 [CRITICAL] CVE-2017-14176: Bazaar through 2 Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-16228 [CRITICAL] CVE-2017-16228: Dulwich before 0 Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-1000116 [CRITICAL] CVE-2017-1000116: Mercurial prior to 4 Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ssh, leading to possible shell-injection attacks.

CVE-2017-12976 [CRITICAL] CVE-2017-12976: git-annex before 6 git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2017-16228 [CRITICAL] CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution CVE-2017-16228 python-dulwich: Setting SSH arguments from untrusted URLs allows code execution Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117. Upstream patch: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/ Discussion: Created python-dulwich tracking bugs for this issue: Affects: epel-all [bug 1509304] Affects: fedora-all [bug 1509305] --- OpenStack reno is the package that requires python-dulwich. However, it does not use the vulnerable function within python-dulwich. The functionality used by reno is for manipulating

CVE-2017-9800 [CRITICAL] RCE via ssh:// URIs in multiple VCS RCE via ssh:// URIs in multiple VCS I'd like to submit an RCE issue within Git SVN and Mercurial, the CVEs are: * CVE-2017-9800 (Subversion) * CVE-2017-1000116 (Mercurial (hg)) * CVE-2017-1000117 (Git) Further Info can be found at: http://blog.recurity-labs.com/2017-08-10/scm-vulns And product specific: * https://public-inbox.org/git/[email protected]/T/#u * http://subversion.apache.org/security/CVE-2017-9800-advisory.txt * https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/ I think these issues which all are based on the same flaw could be worth an IBB Bounty. However I'd like to point out that we at Recurity Labs would like the bounty being donated to a charity. The to be determined charity will be something in the field of brain aneurysm,

CVE-2017-12976 [CRITICAL] CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname CVE-2017-12976 git-annex: RCE via ssh URL with an initial dash character in the hostname git-annex before 6.20170818 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and CVE-2017-1000117. Upstream patch: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471 Discussion: Created git-annex tracking bugs for this issue: Affects: epel-all [bug 1484822] Affects: fedora-all [bug 1484821] --- This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the d

CVE-2017-1000116 [CRITICAL] CVE-2017-1000116 mercurial: command injection on clients through malicious ssh URLs [fedora-all] CVE-2017-1000116 mercurial: command injection on clients through malicious ssh URLs [fedora-all] Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. # bugfix, security, enhancement, newpackage (required) type=security # testing, stable request=testing # Bug numbers: 1234,9876 bugs=1479915 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart

CVE-2017-1000116 [CRITICAL] CVE-2017-1000116 mercurial: command injection on clients through malicious ssh URLs CVE-2017-1000116 mercurial: command injection on clients through malicious ssh URLs Mercurial clients sometimes connect to URLs provided by the repository, as subrepositories, via the .hgsub file. A maliciously constructed ssh:// URL would cause Mercurial clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and ssh://. Discussion: Acknowledgments: Name: the Subversion Team --- External References: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.2F_4.3.1_.282017-08-10.29 --- Created mercurial tracking bugs for this issue