Bug 1058214 (CVE-2017-14176) - VUL-0: CVE-2017-14176: bzr: ssh:// url injection could lead to code execution
Summary: VUL-0: CVE-2017-14176: bzr: ssh:// url injection could lead to code execution
Status: RESOLVED FIXED
Alias: CVE-2017-14176
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/191645/
Whiteboard: CVSSv2:SUSE:CVE-2017-14176:4.3:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-12 06:43 UTC by Victor Pereira
Modified: 2020-04-28 14:34 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2017-09-12 06:43:58 UTC
CVE-2017-14176

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim using Bazaar, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14176
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14176.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
Comment 1 Victor Pereira 2017-09-12 06:45:52 UTC
Bazaar suffers from the same bug that affects Git:

A hostname that starts with a - is passed on verbatim to the ssh command, which means that the host bit in the URL can be used to set arbitrary SSH options.

E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path"

Presumably this only affects users that are using the Subprocess SSH vendor, and not those using the Paramiko SSH Vendor.

Please refer to CVE-2017-1000117 for more informations
Comment 2 Johannes Segitz 2018-02-14 16:21:07 UTC
Please submit for this issue. Thank you.
Comment 3 Johannes Segitz 2018-02-27 15:10:11 UTC
ping. Please submit
Comment 4 Johannes Segitz 2018-04-19 15:08:58 UTC
Changing maintainer. Please have a look. Thank you
Comment 6 Keith Berger 2018-05-15 15:15:19 UTC
Johannes,

Where are you seeing Bazaar in the cloud repos?
Comment 8 Rick Salevsky 2018-05-15 16:34:49 UTC
It's only a build dependency which is not shipped and we actually don't maintain it for this reason. We also changed the SLE maintainer bit in the build service some time ago.

Please change to the SLE maintainer.
Comment 9 Johannes Segitz 2018-05-16 10:07:21 UTC
(In reply to Rick Salevsky from comment #8)
It is supported in 
SLE-SDK_11-SP4                          SUSE:SLE-11:Update
and according to 
osci maintainer -e bzr
cloud-bugs@suse.de is still the current maintainer. Who did you change it to? Then we can reassign it
Comment 10 Rick Salevsky 2018-05-16 11:36:39 UTC
Mmh... I digged in my mails Vincent was working on it but it seams this was not completed.
Comment 11 Bernhard Wiedemann 2018-05-17 09:53:38 UTC
I will submit the patch from the ubuntu package.
Comment 13 Rick Salevsky 2018-05-17 12:24:07 UTC
@Bernhard: Can you please also submit to SUSE:SLE-11:Update?
Comment 17 Swamp Workflow Management 2018-06-01 16:18:25 UTC
SUSE-SU-2018:1489-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1058214
CVE References: CVE-2017-14176
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    bzr-1.8-3.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    bzr-1.8-3.5.1
Comment 18 Alexandros Toptsoglou 2020-04-28 14:34:36 UTC
Done