Related Vulnerabilities: CVE-2017-12426

Source

Debian Bug report logs - #872190
gitlab: CVE-2017-12426: Remote Command Execution in git client

Package: src:gitlab; Maintainer for src:gitlab is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 15 Aug 2017 05:45:01 UTC

Severity: minor

Tags: fixed-upstream, security, upstream

Found in version gitlab/8.13.11+dfsg1-8

Done: Pirate Praveen <praveen@onenetbeyond.org>

Bug is archived. No further changes may be made.

Forwarded to https://gitlab.com/gitlab-org/gitlab-ce/issues/35212

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#872190; Package src:gitlab. (Tue, 15 Aug 2017 05:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 15 Aug 2017 05:45:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: gitlab
Version: 8.13.11+dfsg1-8
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.com/gitlab-org/gitlab-ce/issues/35212

Hi,

the following vulnerability was published for gitlab.

CVE-2017-12426[0]:
| GitLab Community Edition (CE) and Enterprise Edition (EE) before
| 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10,
| 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote
| attackers to execute arbitrary code via a crafted SSH URL in a project
| import.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12426
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12426
[1] https://gitlab.com/gitlab-org/gitlab-ce/issues/35212
[2] https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#872190; Package src:gitlab. (Thu, 17 Aug 2017 13:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Pirate Praveen <praveen@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 17 Aug 2017 13:39:04 GMT) (full text, mbox, link).

Message #10 received at 872190@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:> If you fix the vulnerability please also
make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

This is already fixed in git 1:2.11.0-3+deb9u1. The patch in gitlab is
extra step to prevent in case of a vulnerable git. Since debian already
has the fixed version of git, I don't think we need to do anything to
gitlab.

[signature.asc (application/pgp-signature, attachment)]

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 17 Aug 2017 17:21:07 GMT) (full text, mbox, link).

Message #15 received at 872190@bugs.debian.org (full text, mbox, reply):

Control: severity -1 minor

On Thu, Aug 17, 2017 at 06:24:43PM +0530, Pirate Praveen wrote:
> On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorso
> <carnil@debian.org> wrote:> If you fix the vulnerability please also
> make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> This is already fixed in git 1:2.11.0-3+deb9u1. The patch in gitlab is
> extra step to prevent in case of a vulnerable git. Since debian already
> has the fixed version of git, I don't think we need to do anything to
> gitlab.

Agree, we can at least lower the severity and thanks a lot for the
followup. The CVE seem to be specific assigned for the "via a crafted
SSH URL in a project import". Can you close this bug once the gitlab
version contains as well this extra safety measure if still running
with older git?

For the security tracker I have already downgraded the severity to
unimportant.

Regards,
Salvatore

Severity set to 'minor' from 'grave' Request was from Salvatore Bonaccorso <carnil@debian.org> to 872190-submit@bugs.debian.org. (Thu, 17 Aug 2017 17:21:08 GMT) (full text, mbox, link).

Message #22 received at 872190@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On വ്യാഴം 17 ആഗസ്റ്റ് 2017 10:46 വൈകു, Salvatore Bonaccorso wrote:
> Agree, we can at least lower the severity and thanks a lot for the
> followup. The CVE seem to be specific assigned for the "via a crafted
> SSH URL in a project import". Can you close this bug once the gitlab
> version contains as well this extra safety measure if still running
> with older git?
yes.
> For the security tracker I have already downgraded the severity to
> unimportant.

thanks.

[signature.asc (application/pgp-signature, attachment)]

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Mon, 09 Jul 2018 17:31:45 GMT) (full text, mbox, link).

Reply sent to Pirate Praveen <praveen@onenetbeyond.org>:
You have taken responsibility. (Sun, 18 Nov 2018 03:21:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 18 Nov 2018 03:21:04 GMT) (full text, mbox, link).

Message #29 received at 872190-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, 17 Aug 2017 19:16:38 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Can you close this bug once the gitlab
> version contains as well this extra safety measure if still running
> with older git?

We have 10.8.7 in buster and 11.1.8 in sid. Closing.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

[Message part 2 (text/html, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 16 Dec 2018 07:30:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:04:43 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

gitlab: CVE-2017-12426: Remote Command Execution in git client

Debian Bug report logs - #872190
gitlab: CVE-2017-12426: Remote Command Execution in git client

Vulmon Search

About

Products

Connect

gitlab: CVE-2017-12426: Remote Command Execution in git client

Debian Bug report logs - #872190 gitlab: CVE-2017-12426: Remote Command Execution in git client

Vulmon Search

About

Products

Connect

Debian Bug report logs - #872190
gitlab: CVE-2017-12426: Remote Command Execution in git client