Friday, August 11, 2017

Version Control ssh:// URL Shell Injection Vulnerability

Junio C Hamano (via Greg Hurrell):

These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue.


A malicious third-party can give a crafted “ssh://…” URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim’s machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running ”git clone --recurse-submodules” to trigger the vulnerability.


A “ssh://…” URL can result in a “ssh” command line with a hostname that begins with a dash “-”, which would cause the “ssh” command to instead (mis)treat it as an option.


In the same spirit, a repository name that begins with a dash “-” is also forbidden now.

Comments RSS · Twitter

Leave a Comment