Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

bzr: CVE-2017-14176: bzr+ssh URLs don't strip SSH options

Related Vulnerabilities: CVE-2017-14176  

Source

Debian Bug report logs - #874429
bzr: CVE-2017-14176: bzr+ssh URLs don't strip SSH options

version graph

Package: src:bzr; Maintainer for src:bzr is Debian Bazaar Maintainers <pkg-bazaar-maint@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 6 Sep 2017 04:39:01 UTC

Severity: grave

Tags: security, upstream

Found in version bzr/2.6.0+bzr6595-6

Fixed in versions bzr/2.7.0+bzr6622-7, bzr/2.7.0+bzr6619-7+deb9u1, bzr/2.6.0+bzr6595-6+deb8u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bazaar Maintainers <pkg-bazaar-maint@lists.alioth.debian.org>:
Bug#874429; Package src:bzr. (Wed, 06 Sep 2017 04:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Bazaar Maintainers <pkg-bazaar-maint@lists.alioth.debian.org>. (Wed, 06 Sep 2017 04:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bzr: bzr+ssh URLs don't strip SSH options
Date: Wed, 06 Sep 2017 06:37:15 +0200
Source: bzr
Version: 2.6.0+bzr6595-6
Severity: grave
Tags: upstream security
Justification: user security hole
Control: fixed -1 2.7.0+bzr6622-7

Hi

This is handled already in unstable with 2.7.0+bzr6622-7, this bug is
to track the issue until the CVE is assigned and properly identified
via a CVE. A CVE was apparently requested, reading LP #1710979.

bzr (2.7.0+bzr6622-7) unstable; urgency=high

  * Add patch 27_fix_sec_ssh: Strip out hostnames starting with dash in
    bzr+ssh URLs, as they might allow an attacker to provide SSH command-
    line flags. LP: #1710979

https://bugs.launchpad.net/bzr/+bug/1710979

Regards,
Salvatore

Marked as fixed in versions bzr/2.7.0+bzr6622-7. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 06 Sep 2017 04:39:04 GMT) (full text, mbox, link).

Changed Bug title to 'bzr: CVE-2017-14176: bzr+ssh URLs don't strip SSH options' from 'bzr: bzr+ssh URLs don't strip SSH options'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 09 Sep 2017 06:42:03 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 02 Dec 2017 19:33:19 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 02 Dec 2017 19:33:19 GMT) (full text, mbox, link).

Message #14 received at 874429-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 874429-close@bugs.debian.org
Subject: Bug#874429: fixed in bzr 2.7.0+bzr6619-7+deb9u1
Date: Sat, 02 Dec 2017 19:32:08 +0000
Source: bzr
Source-Version: 2.7.0+bzr6619-7+deb9u1

We believe that the bug you reported is fixed in the latest version of
bzr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874429@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bzr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 27 Nov 2017 21:12:18 +0100
Source: bzr
Binary: bzr python-bzrlib python-bzrlib-dbg python-bzrlib.tests bzr-doc
Architecture: source
Version: 2.7.0+bzr6619-7+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Bazaar Maintainers <pkg-bazaar-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 bzr        - easy to use distributed version control system
 bzr-doc    - easy to use distributed version control system (documentation)
 python-bzrlib - distributed version control system - python library
 python-bzrlib-dbg - distributed version control system - debug extension
 python-bzrlib.tests - distributed version control system - testsuite
Closes: 868966 874429
Changes:
 bzr (2.7.0+bzr6619-7+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Use 'localhost' rather than '127.0.0.1' in SSL certificates, as the latter
     trips up pycurl (Closes: #868966)
   * Ship a refreshed copy of the ssl certs used in testsuite
   * Prevent SSH command line options from being specified in bzr+ssh:// URLs
     (CVE-2017-14176) (Closes: #874429)
Checksums-Sha1:
 8e1cf05b469efea80bc2ed260d8d3a43db88d463 3033 bzr_2.7.0+bzr6619-7+deb9u1.dsc
 8bf0b1d7867528e078484cf53a2ab6b879f36b18 10945598 bzr_2.7.0+bzr6619.orig.tar.gz
 be438b1b7afbd84b8af8bb6133cdbf99c375a0ce 92072 bzr_2.7.0+bzr6619-7+deb9u1.debian.tar.xz
 8b5cced0416e11671925931d311fc5f52c6d0d7d 6745 bzr_2.7.0+bzr6619-7+deb9u1_source.buildinfo
Checksums-Sha256:
 b13644e5d249743102646f3d01ae66b9ddb6d1911f3ee2d6fe0e5ac8b9bd6273 3033 bzr_2.7.0+bzr6619-7+deb9u1.dsc
 a0192999245457fbd564702518bc96453ac0f9b38ea031a466679839b346fa14 10945598 bzr_2.7.0+bzr6619.orig.tar.gz
 c59743abd33483852c1fdc0647a96599e8b7adccde266b32fc78f639e369584d 92072 bzr_2.7.0+bzr6619-7+deb9u1.debian.tar.xz
 53df5b773ac3c3b5d695fa1d860f74cec24488eb0de70c81c55f0484e4dd0f6b 6745 bzr_2.7.0+bzr6619-7+deb9u1_source.buildinfo
Files:
 e0e9ef57e855836d08d930e68be3d678 3033 vcs optional bzr_2.7.0+bzr6619-7+deb9u1.dsc
 a310bda70f391bbc299d0b9d38c1b41a 10945598 vcs optional bzr_2.7.0+bzr6619.orig.tar.gz
 8728b74bdea6ba958aca5c16b3a985b9 92072 vcs optional bzr_2.7.0+bzr6619-7+deb9u1.debian.tar.xz
 192dad00880dbf195c2e2a79e5dad46d 6745 vcs optional bzr_2.7.0+bzr6619-7+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlocfv1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EchoP/Aqe3YQqkGlvlPLaIzuEbg3Q3w5Lc7l2
qlrQ74co71QKxTqRoFj8mYjH1/n1PKJSbNlv6xBb7I153T8uaDTmaLE2rIQfWRBB
qaYTRngNaBc2gUAoM2Zj7qgEObxbE5QaR4PgNurWwTJuA9WA27ROSvGqYTcrqYTU
UDmUnGnbfMMQiAEH4jLeB5mOVn5FvOc6nk3msQjbgsKm6qq7eKbsUijuZ2brkhXB
LH3/1n1lcY9NBBwg5czarUnZYzwIkiubVgLOYh4QX6SNM92hNuaxwNqEcMRD1tzy
e56HBEuAFGrTeQpTPtfvjxLSqCOOMq6VqSRVncGK8td0fooynxexDi5EmiEXn5gM
knsPevd64xOQoE1HeS6zMLwhZkQnprYv9XZ9f3L3ny78lXTwSyO/kJaNxv1HxWyI
rMQxCP8UH9syz5vztBBB+gWvNO7TuaI9JhD/ZOhEvx9Drh9M7y8hVL4s2JESDOmr
/Pcj2jatIP7W0/0OdGzVtLNgov1tKxAac1RYWjz/V1HFP+nQSU8zNaEL2YZC74U3
EK9WhRFKLbEw1lJaIBLd7OWUju4Gm+f/s1hCzSR3NOSMyjCB8eP2sq8369P1fKa4
nnj9YJT5D0hf6s83atp5T2aiS+rYqKLcypQV0fFmnn5bSmfUHqmaFM8uYqx92MRU
W675gJsY0N/a
=BMHi
-----END PGP SIGNATURE-----

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sat, 02 Dec 2017 19:51:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 02 Dec 2017 19:51:06 GMT) (full text, mbox, link).

Message #19 received at 874429-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 874429-close@bugs.debian.org
Subject: Bug#874429: fixed in bzr 2.6.0+bzr6595-6+deb8u1
Date: Sat, 02 Dec 2017 19:47:24 +0000
Source: bzr
Source-Version: 2.6.0+bzr6595-6+deb8u1

We believe that the bug you reported is fixed in the latest version of
bzr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874429@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bzr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Nov 2017 21:44:25 +0100
Source: bzr
Binary: bzr python-bzrlib python-bzrlib-dbg python-bzrlib.tests bzr-doc
Architecture: all source
Version: 2.6.0+bzr6595-6+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Bazaar Maintainers <pkg-bazaar-maint@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868966 874429
Description: 
 bzr        - easy to use distributed version control system
 bzr-doc    - easy to use distributed version control system (documentation)
 python-bzrlib - distributed version control system - python library
 python-bzrlib-dbg - distributed version control system - debug extension
 python-bzrlib.tests - distributed version control system - testsuite
Changes:
 bzr (2.6.0+bzr6595-6+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Use 'localhost' rather than '127.0.0.1' in SSL certificates, as the latter
     trips up pycurl (Closes: #868966)
   * Ship a refreshed copy of the ssl certs used in testsuite
   * Prevent SSH command line options from being specified in bzr+ssh:// URLs
     (CVE-2017-14176) (Closes: #874429)
Checksums-Sha1: 
 5bc34d5ab52dd87767efeac37c7b495c909fdc33 2914 bzr_2.6.0+bzr6595-6+deb8u1.dsc
 8eb8643bb5af86044ffd5535f6f876476085f641 10944820 bzr_2.6.0+bzr6595.orig.tar.gz
 478e98979ca4fa232590c9989ce0cfdfb1f54d75 64608 bzr_2.6.0+bzr6595-6+deb8u1.debian.tar.xz
 963e48bd61916018de1dbe920fab054a4cfa31c2 54118 bzr_2.6.0+bzr6595-6+deb8u1_all.deb
 6a8314e5acf99d59fead6e28ac3eea1d0cf625cb 1029498 python-bzrlib.tests_2.6.0+bzr6595-6+deb8u1_all.deb
 51096d0973aaed6b4c971b2cdd0e554c37846320 3837242 bzr-doc_2.6.0+bzr6595-6+deb8u1_all.deb
Checksums-Sha256: 
 ebe83be4c7036e4f90f0a8ebeab997768fa47f835db5fa8f4de9d880b5c5f251 2914 bzr_2.6.0+bzr6595-6+deb8u1.dsc
 0016ae484fa08afad9c13ba83871ab424ff0151dee30064af9dd355ec65bdcec 10944820 bzr_2.6.0+bzr6595.orig.tar.gz
 58861deceaa2c9c6e3046b2a705b8150b217dc719e1aaa3e5e26113e291957f3 64608 bzr_2.6.0+bzr6595-6+deb8u1.debian.tar.xz
 f8c74a2f21bbe81f10ae82a03fb47ee9ad57015ea7664025df278e95ee1227ee 54118 bzr_2.6.0+bzr6595-6+deb8u1_all.deb
 95f7e2a58c731ccf2b9762bb88ab7e41806d8fbaaa76c0bf7f5bfd4ade307338 1029498 python-bzrlib.tests_2.6.0+bzr6595-6+deb8u1_all.deb
 93c8bd9a394a8039ee968f723441dda9bd33eeeae3fe43364ee553518d1317ff 3837242 bzr-doc_2.6.0+bzr6595-6+deb8u1_all.deb
Files: 
 6f24cbb959a797e9b6e7b914bb75940b 2914 vcs optional bzr_2.6.0+bzr6595-6+deb8u1.dsc
 ec16d5e0dcb262515c7348c99f6a6891 10944820 vcs optional bzr_2.6.0+bzr6595.orig.tar.gz
 66a3127d0dfcbe8944492b39f75dad5d 64608 vcs optional bzr_2.6.0+bzr6595-6+deb8u1.debian.tar.xz
 b4dc2da9ae5681200bc89a85d83784ee 54118 vcs optional bzr_2.6.0+bzr6595-6+deb8u1_all.deb
 23ac871931ad76e15d392abb2b31ffcb 1029498 python optional python-bzrlib.tests_2.6.0+bzr6595-6+deb8u1_all.deb
 dee68949632a1fde379fbb6314aad2b7 3837242 doc optional bzr-doc_2.6.0+bzr6595-6+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlodzRlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E1EYP/2JO2DbZscnKPaeKzD5ZsrB9lrVv59VF
6ZADheQ+IWwA2l5Qy1dF8M4DWzcIX5kdZtDsK7pRRbtLOmwbVDvOZID+cs9NOZsP
+KqHCFoQWfFhC17xCJTi9mtvRtrVBqqz4Tch5uj3phpuPYd3R1vZ6rhilrnFRE50
wJwE3FfZ1HzVxbBs73n27/eLL1oFjYdymSsEPndnX9195Iglf5aNr+0rDq6BCQwJ
+sBr4Qu3+db/BGq3CCOIfiqAr+ZqWu6dWFlnnr8sV3FCxtyJoJQFpnXQdzz3YklS
5tfsY4FKbzdzvv5WHa91dAzwlcdwmgJxTfYHNzfcjxJmK1vnKo/Xhzv8XsBLYiDx
MobIr4QKMz108Kn8Nw34nHJeSTuB3xCMvORSHVrAxVf1HT0CM7AtQp906aB3a8kb
xsEfZ168KciBUz3gdJkGqMs6EABGrnpUxPB0WR/a2P+xPQ8V4d2fzpMalgtBqcMC
28hEb02xVwRZ6t7hnpA755F+la10GPx3wLbPcjsSGfiyc6urDXAnB9+iVg+WdRoR
8pcab7w6/5b1rbsSSnK1N7HlmIDN9R6PYoH+ZZlvk/TpC/1iKY3Fh4L+ue2ph7v+
rlOo7ksH4qbtHhxD5w+1N087WAXXvCnX/U6QdysMDIu0uVqojUDMMamQeR6+thbS
jrUCWCU3eFYD
=oXJ9
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 07 Jan 2018 07:30:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:15:37 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started