Bugzilla – Bug 1058214
VUL-0: CVE-2017-14176: bzr: ssh:// url injection could lead to code execution
Last modified: 2020-04-28 14:34:36 UTC
CVE-2017-14176 A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim using Bazaar, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14176 http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14176.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
Bazaar suffers from the same bug that affects Git: A hostname that starts with a - is passed on verbatim to the ssh command, which means that the host bit in the URL can be used to set arbitrary SSH options. E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path" Presumably this only affects users that are using the Subprocess SSH vendor, and not those using the Paramiko SSH Vendor. Please refer to CVE-2017-1000117 for more informations
Please submit for this issue. Thank you.
ping. Please submit
Changing maintainer. Please have a look. Thank you
Johannes, Where are you seeing Bazaar in the cloud repos?
Here? https://build.suse.de/project/show/SUSE:SLE-12-SP3:Update:Products:Cloud8
It's only a build dependency which is not shipped and we actually don't maintain it for this reason. We also changed the SLE maintainer bit in the build service some time ago. Please change to the SLE maintainer.
(In reply to Rick Salevsky from comment #8) It is supported in SLE-SDK_11-SP4 SUSE:SLE-11:Update and according to osci maintainer -e bzr cloud-bugs@suse.de is still the current maintainer. Who did you change it to? Then we can reassign it
Mmh... I digged in my mails Vincent was working on it but it seams this was not completed.
I will submit the patch from the ubuntu package.
@Bernhard: Can you please also submit to SUSE:SLE-11:Update?
SUSE-SU-2018:1489-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1058214 CVE References: CVE-2017-14176 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bzr-1.8-3.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): bzr-1.8-3.5.1
Done