git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976)

Debian Bug report logs - #873088
git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@orangeseeds.org>

To: submit@bugs.debian.org

Subject: git-annex: remote code execution via crafted SSH URLs (CVE-2017-12976)

Date: Thu, 24 Aug 2017 09:00:06 -0400

[Message part 1 (text/plain, inline)]

Package: git-annex
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerability was published for git-annex.

CVE-2017-12976[0]:
| git-annex before 6.20170818 allows remote attackers to execute
| arbitrary commands via an ssh URL with an initial dash character in the
| hostname, as demonstrated by an ssh://-eProxyCommand= URL, a related
| issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-1000116, and
| CVE-2017-1000117.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12976
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12976

Please adjust the affected versions in the BTS as needed.

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 873088-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: control@bugs.debian.org

Cc: 873088-submitter@bugs.debian.org

Subject: closing 873088

Date: Thu, 24 Aug 2017 16:52:25 +0200

close 873088 6.20170818-1
thanks

Message #23 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Richard Hartmann <richih@debian.org>

Cc: 873088@bugs.debian.org, debian-lts@lists.debian.org

Subject: Wheezy update of git-annex?

Date: Tue, 29 Aug 2017 15:53:25 +0200

Hello Richard,

First I want to point out that git-annex 6.20170818-1 failed to build on
arm64, you might want to ask for a give-back to retry with a newer
compiler (gcc 7.2 landed in unstable since the failed build on arm64).

Apart from that, the Debian LTS team would like to fix the security issues
which are currently open in the Wheezy version of git-annex:
https://security-tracker.debian.org/tracker/CVE-2017-12976

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of git-annex updates
for the LTS releases.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #28 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>

Cc: 873088@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Wheezy update of git-annex?

Date: Wed, 27 Sep 2017 12:56:46 -0400

For what it's worth, I can reproduce this in Wheezy, using the following
proof of concept:

    sudo apt-get install git-annex
    git init foo 
    cd foo/
    git remote add origin 'ssh://-oProxyCommand=ls/foo' 
    git annex init
    git annex sync

the latter command calls "ls" which is our "evil command" here, at least
according to strace:

[pid 14350] execve("/usr/lib/git-core/ssh", ["ssh", "-S", "/home/vagrant/foo/.git/annex/ssh"..., "-o", "ControlMaster=auto", "-o", "ControlPersist=yes", "-oProxyCommand=ls", "git-annex-shell 'configlist' '/f"...], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
[pid 14350] execve("/usr/local/bin/ssh", ["ssh", "-S", "/home/vagrant/foo/.git/annex/ssh"..., "-o", "ControlMaster=auto", "-o", "ControlPersist=yes", "-oProxyCommand=ls", "git-annex-shell 'configlist' '/f"...], [/* 16 vars */]) = -1 ENOENT (No such file or directory)
[pid 14350] execve("/usr/bin/ssh", ["ssh", "-S", "/home/vagrant/foo/.git/annex/ssh"..., "-o", "ControlMaster=auto", "-o", "ControlPersist=yes", "-oProxyCommand=ls", "git-annex-shell 'configlist' '/f"...], [/* 16 vars */]) = 0
Process 14351 attached
[pid 14351] execve("/bin/bash", ["/bin/bash", "-c", "exec ls"], [/* 16 vars */]) = 0
[pid 14351] execve("/bin/ls", ["ls"], [/* 15 vars */]) = 0
ssh_exchange_identification: Connection closed by remote host
Process 14350 detached
[pid 14343] --- SIGCHLD (Child exited) @ 0 (0) ---
Command ssh ["-S","/home/vagrant/foo/.git/annex/ssh/-oProxyCommand=ls","-o","ControlMaster=auto","-o","ControlPersist=yes","-oProxyCommand=ls","git-annex-shell 'configlist' '/foo'"] failed; exit code 255
commit  

I am not sure how to fix this in wheezy. The code is obviously quite
different, but I figured we may be able to grep for the "ssh" string in
the source code and fix all relevant issues, while backporting the
SshHost utility...

Other ideas?

a.

-- 
Only in the darkness can you see the stars.
                        - Martin Luther King, Jr.

Message #33 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>

Cc: 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: git-annex security issue backports

Date: Thu, 28 Sep 2017 13:53:06 -0400

[Message part 1 (text/plain, inline)]

Hi again,

I reached out to joeyh to see how we could backport git-annex security
patches to wheezy. He responded by sharing the attached patch he sent to
the git-annex maintainer that backports the fixes to stretch. I figured
it would be useful for the core secteam to have visibilty on this...

He also validated the approach i suggested of "grep for ssh and backport
the SshHost construct" to fix the issue in earlier version.

I may look at this again tomorrow, otherwise next week.

A.

-- 
Celui qui sait jouir du peu qu'il a est toujours assez riche.
                         - Démocrite

[Message part 2 (message/rfc822, inline)]

From: Joey Hess <id@joeyh.name>

To: Antoine Beaupré <anarcat@debian.org>

Subject: FWD: heads up: git-annex security hole

Date: Thu, 28 Sep 2017 12:31:34 -0400

[Message part 3 (text/plain, inline)]

----- Forwarded message from Joey Hess <id@joeyh.name> -----

Date: Thu, 17 Aug 2017 22:42:27 -0400
From: Joey Hess <id@joeyh.name>
To: Richard Hartmann <richih@debian.org>
Subject: heads up: git-annex security hole
User-Agent: NeoMutt/20170609 (1.8.3)

I'll be releasing a new version of git-annex tomorrow fixing a remotely
exploitable security hole, the same class of vulnerability that recently
afflicted git. Patch is attached.

This affects all versions of git-annex, so will need backporting.
I've also attached a version of the patch that will apply cleanly to
6.20170101 in stable.

-- 
see shy jo






----- End forwarded message -----
-- 
see shy jo

[0001-stable-avoid-the-dashed-ssh-hostname-class-of-securi.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #38 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Antoine Beaupré <anarcat@debian.org>

Cc: Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>, 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: Re: git-annex security issue backports

Date: Fri, 29 Sep 2017 18:56:32 +0200

Hi Antoine,

On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote:
> Hi again,
> 
> I reached out to joeyh to see how we could backport git-annex security
> patches to wheezy. He responded by sharing the attached patch he sent to
> the git-annex maintainer that backports the fixes to stretch. I figured
> it would be useful for the core secteam to have visibilty on this...
> 
> He also validated the approach i suggested of "grep for ssh and backport
> the SshHost construct" to fix the issue in earlier version.

Thanks. Indeed we were already in contact with Richard.

Richard, friendly ping, did you had a chance to continue working on
the jessie- and stretch-security upload?

Regards,
Salvatore

Message #43 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Antoine Beaupré <anarcat@debian.org>, Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>, 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: Re: git-annex security issue backports

Date: Thu, 12 Oct 2017 20:53:13 +0200

On Fri, Sep 29, 2017 at 06:56:32PM +0200, Salvatore Bonaccorso wrote:
> Hi Antoine,
> 
> On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote:
> > Hi again,
> > 
> > I reached out to joeyh to see how we could backport git-annex security
> > patches to wheezy. He responded by sharing the attached patch he sent to
> > the git-annex maintainer that backports the fixes to stretch. I figured
> > it would be useful for the core secteam to have visibilty on this...
> > 
> > He also validated the approach i suggested of "grep for ssh and backport
> > the SshHost construct" to fix the issue in earlier version.
> 
> Thanks. Indeed we were already in contact with Richard.
> 
> Richard, friendly ping, did you had a chance to continue working on
> the jessie- and stretch-security upload?

What's the status?

Cheers,
        Moritz

Message #48 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>, 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: Re: git-annex security issue backports

Date: Mon, 23 Oct 2017 09:26:28 -0400

On 2017-10-12 20:53:13, Moritz Mühlenhoff wrote:
> On Fri, Sep 29, 2017 at 06:56:32PM +0200, Salvatore Bonaccorso wrote:
>> Hi Antoine,
>> 
>> On Thu, Sep 28, 2017 at 01:53:06PM -0400, Antoine Beaupré wrote:
>> > Hi again,
>> > 
>> > I reached out to joeyh to see how we could backport git-annex security
>> > patches to wheezy. He responded by sharing the attached patch he sent to
>> > the git-annex maintainer that backports the fixes to stretch. I figured
>> > it would be useful for the core secteam to have visibilty on this...
>> > 
>> > He also validated the approach i suggested of "grep for ssh and backport
>> > the SshHost construct" to fix the issue in earlier version.
>> 
>> Thanks. Indeed we were already in contact with Richard.
>> 
>> Richard, friendly ping, did you had a chance to continue working on
>> the jessie- and stretch-security upload?
>
> What's the status?

I'm resuming work on this now, and I'll see how I can backport this to
wheezy, which should helpfully give some help/nudge to the jessie
version as well.

A.

-- 
It is a miracle that curiosity survives formal education
                        - Albert Einstein

Message #53 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: debian-lts@lists.debian.org

Cc: Richard Hartmann <richih@debian.org>, Joey Hess <id@joeyh.name>, 873088@bugs.debian.org, team@security.debian.org

Subject: git-annex CVE-2017-12976 wheezy backport

Date: Mon, 23 Oct 2017 16:55:15 -0400

[Message part 1 (text/plain, inline)]

Hi all,

I've undertaken the work to backport the patch for CVE-2017-12976 to
wheezy, that is 3.20120629 (!). First off, the Ddar and Gcrypt remote
were missing, so that reduced the work. It also seems that the assistant
didn't need to be patched because it didn't use ssh host primitives as
much.

At least this is what I found. The debdiff is attached and I have
uploaded a test build on my usual repository:

https://people.debian.org/~anarcat/debian/wheezy-lts/

Test seems to pass, both at build time and during some basic smoke tests
in a wheezy VM. I also can't reproduce the issue with the new package,
so the fix seems to work. I am assuming Haskell's type checking take
care of the rest.

Any review would be greatly appreciated, I plan on uploading this to
wheezy by the end of the week.

Note that the stretch upload should be fairly trivial with the provided
patch: just apply, fix the change and upload. Jessie should be fairly
easy to patch with the two examples...

Thanks especially to Joeyh for his quick response!

A.

-- 
I would defend the liberty of consenting adult creationists to practice
whatever intellectual perversions they like in the privacy of their own
homes; but it is also necessary to protect the young and innocent.
                        - Arthur C. Clarke

[0001-oldstable-fix-dashed-ssh-hostname-issue-CVE-2017-129.patch (text/x-diff, inline)]

From 05903f52f614243421451836c4431e3b63de53ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Mon, 23 Oct 2017 16:50:56 -0400
Subject: [PATCH] (oldstable) fix dashed ssh hostname issue CVE-2017-12976
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security fix: Disallow hostname starting with a dash, which would get
passed to ssh and be treated an option. This could be used by an attacker
who provides a crafted ssh url (for eg a git remote) to execute arbitrary
code via ssh -oProxyCommand.

The same class of security hole recently affected git itself,
CVE-2017-1000117.

Method: Identified all places where ssh is run, by git grep '"ssh"'
Converted them all to use a SshHost, if they did not already, for
specifying the hostname.

SshHost was made a data type with a smart constructor, which rejects
hostnames starting with '-'.

Note that git-annex already contains extensive use of Utility.SafeCommand,
which fixes a similar class of problem where a filename starting with a
dash gets passed to a program which treats it as an option.

This was backported by Antoine Beaupré, from the upstream stable patch
provided by Joey Hess.
---
 Annex/Ssh.hs         | 22 ++++++++++++----------
 Remote/Helper/Ssh.hs |  7 ++++++-
 Utility/SshHost.hs   | 29 +++++++++++++++++++++++++++++
 debian/changelog     | 10 ++++++++++
 4 files changed, 57 insertions(+), 11 deletions(-)
 create mode 100644 Utility/SshHost.hs

diff --git a/Annex/Ssh.hs b/Annex/Ssh.hs
index 8bd4fe33a..63c2324a3 100644
--- a/Annex/Ssh.hs
+++ b/Annex/Ssh.hs
@@ -18,10 +18,11 @@ import qualified Git.Config
 import Config
 import qualified Build.SysConfig as SysConfig
 import Annex.Perms
+import Utility.SshHost
 
 {- Generates parameters to ssh to a given host (or user@host) on a given
  - port, with connection caching. -}
-sshParams :: (String, Maybe Integer) -> [CommandParam] -> Annex [CommandParam]
+sshParams :: (SshHost, Maybe Integer) -> [CommandParam] -> Annex [CommandParam]
 sshParams (host, port) opts = go =<< sshInfo (host, port)
 	where
 		go (Nothing, params) = ret params
@@ -30,14 +31,14 @@ sshParams (host, port) opts = go =<< sshInfo (host, port)
 			liftIO $ createDirectoryIfMissing True $ parentDir socketfile
 			lockFile $ socket2lock socketfile
 			ret params
-		ret ps = return $ ps ++ opts ++ portParams port ++ [Param host]
+		ret ps = return $ ps ++ opts ++ portParams port ++ [Param (fromSshHost host)]
 		-- If the lock pool is empty, this is the first ssh of this
 		-- run. There could be stale ssh connections hanging around
 		-- from a previous git-annex run that was interrupted.
 		cleanstale = whenM (not . any isLock . M.keys <$> getPool) $
 			sshCleanup
 
-sshInfo :: (String, Maybe Integer) -> Annex (Maybe FilePath, [CommandParam])
+sshInfo :: (SshHost, Maybe Integer) -> Annex (Maybe FilePath, [CommandParam])
 sshInfo (host, port) = ifM caching
 	( do
 		dir <- fromRepo gitAnnexSshDir
@@ -91,7 +92,7 @@ sshCleanup = do
 				-- "ssh -O stop" is noisy on stderr even with -q
 				let cmd = unwords $ toCommand $
 					[ Params "-O stop"
-					] ++ params ++ [Param host]
+					] ++ params ++ [Param (fromSshHost host)]
 				boolSystem "sh"
 					[ Param "-c"
 					, Param $ "ssh " ++ cmd ++ " >/dev/null 2>/dev/null"
@@ -99,16 +100,17 @@ sshCleanup = do
 				-- Cannot remove the lock file; other processes may
 				-- be waiting on our exclusive lock to use it.
 
-hostport2socket :: String -> Maybe Integer -> FilePath
-hostport2socket host Nothing = host
-hostport2socket host (Just port) = host ++ "!" ++ show port
+hostport2socket :: SshHost -> Maybe Integer -> FilePath
+hostport2socket host Nothing = fromSshHost host
+hostport2socket host (Just port) = fromSshHost host ++ "!" ++ show port
 
-socket2hostport :: FilePath -> (String, Maybe Integer)
+socket2hostport :: FilePath -> (SshHost, Maybe Integer)
 socket2hostport socket
-	| null p = (h, Nothing)
-	| otherwise = (h, readish p)
+	| null p = (sshhost, Nothing)
+	| otherwise = (sshhost, readish p)
 	where
 		(h, p) = separate (== '!') $ takeFileName socket
+                sshhost = either error id (mkSshHost h)
 
 socket2lock :: FilePath -> FilePath
 socket2lock socket = socket ++ lockExt
diff --git a/Remote/Helper/Ssh.hs b/Remote/Helper/Ssh.hs
index f6742b89f..0101748aa 100644
--- a/Remote/Helper/Ssh.hs
+++ b/Remote/Helper/Ssh.hs
@@ -13,14 +13,19 @@ import qualified Git.Url
 import Config
 import Annex.UUID
 import Annex.Ssh
+import Utility.SshHost
 
 {- Generates parameters to ssh to a repository's host and run a command.
  - Caller is responsible for doing any neccessary shellEscaping of the
  - passed command. -}
 sshToRepo :: Git.Repo -> [CommandParam] -> Annex [CommandParam]
 sshToRepo repo sshcmd = do
+	let host = maybe
+		(error "bad ssh url")
+		(either error id . mkSshHost)
+		(Just $ Git.Url.hostuser repo)
 	opts <- map Param . words <$> getRemoteConfig repo "ssh-options" ""
-	params <- sshParams (Git.Url.hostuser repo, Git.Url.port repo) opts
+	params <- sshParams (host, Git.Url.port repo) opts
 	return $ params ++ sshcmd
 
 {- Generates parameters to run a git-annex-shell command on a remote
diff --git a/Utility/SshHost.hs b/Utility/SshHost.hs
new file mode 100644
index 000000000..d8a8da11d
--- /dev/null
+++ b/Utility/SshHost.hs
@@ -0,0 +1,29 @@
+{- ssh hostname sanitization
+ -
+ - When constructing a ssh command with a hostname that may be controlled
+ - by an attacker, prevent the hostname from starting with "-",
+ - to prevent tricking ssh into arbitrary command execution via
+ - eg "-oProxyCommand="
+ -
+ - Copyright 2017 Joey Hess <id@joeyh.name>
+ -
+ - License: BSD-2-clause
+ -}
+
+module Utility.SshHost (SshHost, mkSshHost, fromSshHost) where
+
+newtype SshHost = SshHost String
+
+-- | Smart constructor for a legal hostname or IP address.
+-- In some cases, it may be prefixed with "user@" to specify the remote
+-- user at the host.
+--
+-- For now, we only filter out the problem ones, because determining an
+-- actually legal hostnames is quite complicated.
+mkSshHost :: String -> Either String SshHost
+mkSshHost h@('-':_) = Left $
+	"rejecting ssh hostname that starts with '-' : " ++ h
+mkSshHost h = Right (SshHost h)
+
+fromSshHost :: SshHost -> String
+fromSshHost (SshHost h) = h
diff --git a/debian/changelog b/debian/changelog
index 96d85da27..ec3f93d13 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+git-annex (3.20120629+deb7u1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to
+    execute arbitrary commands via an ssh URL with an initial dash
+    character in the hostname, as demonstrated by an ssh://-eProxyCommand=
+    URL (Closes: #873088)
+
+ -- Antoine Beaupré <anarcat@debian.org>  Mon, 23 Oct 2017 16:00:55 -0400
+
 git-annex (3.20120629) unstable; urgency=low
 
   * cabal: Only try to use inotify on Linux.
-- 
2.11.0

Message #58 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>, 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: Re: git-annex security issue backports

Date: Thu, 26 Oct 2017 10:34:43 -0400

On 2017-10-23 09:26:28, Antoine Beaupré wrote:
>> What's the status?
>
> I'm resuming work on this now, and I'll see how I can backport this to
> wheezy, which should helpfully give some help/nudge to the jessie
> version as well.

Hi,

I have pushed DLA-1144-1 for git-annex in wheezy after summary tests.

I have also backported joey's patch to jessie. It was simpler than
wheezy because the code is much more similar. The resulting patch is
available here:

https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265

As expected, the patch Joey provided applies fine on stretch and should
be applied and uploaded as-is. This time, it's in debian/patches because
the package is non-native since stretch:

https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d

I can do the upload if you authorize me. The above are not *exactly*
debdiffs, but they are pretty close, so I hope that's sufficient for
review.

A.

-- 
In serious work commanding and discipline are of little avail.
                         - Peter Kropotkin

Message #63 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Antoine Beaupré <anarcat@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>, 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: Re: git-annex security issue backports

Date: Thu, 26 Oct 2017 17:14:34 +0200

On Oct/26, Antoine Beaupré wrote:
> I have also backported joey's patch to jessie. It was simpler than
> wheezy because the code is much more similar. The resulting patch is
> available here:
> 
> https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
> 
> As expected, the patch Joey provided applies fine on stretch and
> should be applied and uploaded as-is. This time, it's in
> debian/patches because the package is non-native since stretch:
> 
> https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
> 
> I can do the upload if you authorize me. The above are not *exactly*
> debdiffs, but they are pretty close, so I hope that's sufficient for
> review.

Thank you for backporting those.

For the jessie debdiff, please change the version to 5.20141125+deb8u1,
and target jessie-security. The stretch one looks good as is.

Make sure you build both with -sa, and then you can upload.

Cheers,

--Seb

Message #68 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: Sébastien Delafond <seb@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>, 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: Re: git-annex security issue backports

Date: Thu, 26 Oct 2017 11:25:53 -0400

On 2017-10-26 11:14:34, Sébastien Delafond wrote:
> On Oct/26, Antoine Beaupré wrote:
>> I have also backported joey's patch to jessie. It was simpler than
>> wheezy because the code is much more similar. The resulting patch is
>> available here:
>> 
>> https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265
>> 
>> As expected, the patch Joey provided applies fine on stretch and
>> should be applied and uploaded as-is. This time, it's in
>> debian/patches because the package is non-native since stretch:
>> 
>> https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d
>> 
>> I can do the upload if you authorize me. The above are not *exactly*
>> debdiffs, but they are pretty close, so I hope that's sufficient for
>> review.
>
> Thank you for backporting those.
>
> For the jessie debdiff, please change the version to 5.20141125+deb8u1,
> and target jessie-security. The stretch one looks good as is.
>
> Make sure you build both with -sa, and then you can upload.

Right, how does that look then?

https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04

Then I can just upload this to security-master?

A.
-- 
In god we trust, others pay cash.
                        - Richard Desjardins, Miami

Message #73 received at 873088@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Antoine Beaupré <anarcat@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, Raphael Hertzog <hertzog@debian.org>, Richard Hartmann <richih@debian.org>, 873088@bugs.debian.org, debian-lts@lists.debian.org, team@security.debian.org

Subject: Re: git-annex security issue backports

Date: Thu, 26 Oct 2017 17:53:55 +0200

On Oct/26, Antoine Beaupré wrote:
> Right, how does that look then?
> 
> https://gitlab.com/anarcat/git-annex/commit/b21ccd25ecd4cad0efcc8f4f0c94ad99ce32cd04

Nah, +deb8u1 ;)

> Then I can just upload this to security-master?

Yep.

Cheers,

--Seb

Message #88 received at 873088-close@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 873088-close@bugs.debian.org

Subject: Bug#873088: fixed in git-annex 5.20141125+deb8u1

Date: Sun, 17 Jun 2018 18:02:34 +0000

Source: git-annex
Source-Version: 5.20141125+deb8u1

We believe that the bug you reported is fixed in the latest version of
git-annex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873088@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated git-annex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 26 Oct 2017 10:23:02 -0400
Source: git-annex
Binary: git-annex
Architecture: source amd64
Version: 5.20141125+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description:
 git-annex  - manage files with git, without checking their contents into git
Closes: 873088
Changes:
 git-annex (5.20141125+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to
     execute arbitrary commands via an ssh URL with an initial dash
     character in the hostname, as demonstrated by an ssh://-eProxyCommand=
     URL (Closes: #873088)
Checksums-Sha1:
 e356d92b89a2ba92febd63e4c7a540053d758038 3537 git-annex_5.20141125+deb8u1.dsc
 284103ddbcd1c4f59eae75bd3b69c870902933e0 5963447 git-annex_5.20141125+deb8u1.tar.gz
 def4e6449ad089588e317b1d124178578abb0aa3 8491992 git-annex_5.20141125+deb8u1_amd64.deb
Checksums-Sha256:
 aad22c44af16e06d41262e93984b293f168588f82adb45b904f2d7e44cd83c3c 3537 git-annex_5.20141125+deb8u1.dsc
 c92c91c9e20786dcf6c1bbf4b35125e8f0f58dd434a9183401192a35a63a79de 5963447 git-annex_5.20141125+deb8u1.tar.gz
 522937ba9411466a2c00e00376bb48267ac0657f27902b5c4c8cb688ad71e63e 8491992 git-annex_5.20141125+deb8u1_amd64.deb
Files:
 39eced6036fd444e6ebc20ff48f4a472 3537 utils optional git-annex_5.20141125+deb8u1.dsc
 284591204775190567f9a1c361b9fd25 5963447 utils optional git-annex_5.20141125+deb8u1.tar.gz
 8ae7e45d0bbda1eb88d6086106b0a094 8491992 utils optional git-annex_5.20141125+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh4XsFAlnyLV0ACgkQPqHd3bJh
2XvYBQf/clZXO78fQCgpLWU0rq5SrIS/ogxWaZLBSRvVSavUB9FWt58+lw3OgnCL
PKNIEr03ZpR7aCGYylJscJz30lMXrTv0AjH2QtMmUoWIMXNfignV88VMYhSpeC+v
HNp7fP5LSOxJ5/QHGqyyZIEfKJ8L7/4od5aYU9n4cY6hfSGFWdd//g1N5PVVRaHq
TiIZBRzaoFA+a6m1XYbVHsfXnctKCVuhabcULUNQy93IMSdafod73+UPaTmYJt/D
ID6Ge1XcfssoBahJnn71TqqfCIt539VGMT9ZESvXYMKt5IgG/ULW5aa22mUKOWXb
wdtTZJKICcjFJXe5Is3qV0QUmT/FKA==
=Sfe2
-----END PGP SIGNATURE-----

Message #93 received at 873088-close@bugs.debian.org (full text, mbox, reply):

From: Sean Whitton <spwhitton@spwhitton.name>

To: 873088-close@bugs.debian.org

Subject: Bug#873088: fixed in git-annex 6.20170101-1+deb9u2

Date: Fri, 06 Jul 2018 13:32:09 +0000

Source: git-annex
Source-Version: 6.20170101-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
git-annex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873088@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Whitton <spwhitton@spwhitton.name> (supplier of updated git-annex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 Jun 2018 16:42:37 +0100
Source: git-annex
Binary: git-annex
Architecture: source
Version: 6.20170101-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Richard Hartmann <richih@debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Description:
 git-annex  - manage files with git, without checking their contents into git
Closes: 873088
Changes:
 git-annex (6.20170101-1+deb9u2) stretch; urgency=high
 .
   [ Joey Hess ]
   * CVE-2018-10857:
     - Added annex.security.allowed-url-schemes setting, which defaults
       to only allowing http, https, and ftp URLs. Note especially that file:/
       is no longer enabled by default.
     - Removed annex.web-download-command, since its interface does not allow
       supporting annex.security.allowed-url-schemes across redirects.
       If you used this setting, you may want to instead use annex.web-options
       to pass options to curl.
     - git-annex will refuse to download content from the web, to prevent
       accidental exposure of data on private webservers on localhost and the
       LAN. This can be overridden with the
       annex.security.allowed-http-addresses setting.
       (The S3, glacier, and webdav special remotes are still allowed to
       download from the web.)
   * CVE-2018-10857 and CVE-2018-10859:
     - Refuse to download content, that cannot be verified with a hash,
       from encrypted special remotes (for CVE-2018-10859),
       and from all external special remotes (for CVE-2018-10857).
       In particular, URL and WORM keys stored on such remotes won't
       be downloaded. If this affects your files, you can run
       `git-annex migrate` on the affected files, to convert them
       to use a hash.
     - Added annex.security.allow-unverified-downloads, which can override
       the above.
 .
 git-annex (6.20170101-1+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-12976: git-annex before 6.20170818 allows remote attackers to
     execute arbitrary commands via an ssh URL with an initial dash
     character in the hostname, as demonstrated by an ssh://-eProxyCommand=
     URL (Closes: #873088)
Checksums-Sha1:
 440c1251fbe20dbf443c6df5fe751ca44aab2887 5240 git-annex_6.20170101-1+deb9u2.dsc
 2645dcd551cc00c03a293187953445c506d17cd4 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz
Checksums-Sha256:
 d485b213f7596fae899917671b7a78a9e0535b22a7cac51748c4e5842556aca2 5240 git-annex_6.20170101-1+deb9u2.dsc
 b7e9d0160a782c1b2a97e559e88c21189281cd460fb41cc8217e7e76251877a1 88536 git-annex_6.20170101-1+deb9u2.debian.tar.xz
Files:
 75bec588ccb2a7d3d46ae77032467477 5240 utils optional git-annex_6.20170101-1+deb9u2.dsc
 54bbb6bbb30144bd55aa37a886accb43 88536 utils optional git-annex_6.20170101-1+deb9u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAls+kLMACgkQaVt65L8G
YkBjJRAAsfhrRk1ATOTvhv/6rufv7tM+TbTBsU8yBmdT+TEAz3vHs6KpIR8XNSXn
VI2OOTRIXjHQm62cfNSPle4MHL6b6N1hSUWq9YJxoYm0gi/fay4CrLjvpDZIulve
vaVvU3/m4s8p6YeiEekdd0JxWB+BdA0N4JaWLA5bkIEjBT/CAcMm5dJ1shNXPkph
NpBbVyOVtNN224Z5wnXYyteFOnrunz1CaqXgkSzrdo0HppwNMjEK00xKgTcDcOHG
ZIzwINmSjzO7PiQI0Lngu9MAuOrLxRQeyhFpc77XmMjDcZP8db2a1p2tkTPQEWXA
A3ouHa715vj/bFtTsavcmJKagGuXjJOcIOIhK3okJCOoTdVEWfdyTV6pMDuLQqQv
yK3CiIHawTQcpfsEzZSTRF1+LlOI4i3z9Qu6p50yuK2nCowVLNal0lVbtKfAIuhx
W4I03iB3OQ5ifSlTC8XWKTeKPE4JBmA2tOmskl7naSPR1fD0E9qyn5n9Pe1Amwl+
ttPgu038opQj1t//e49vSmwvNCpdTvSNIfST3UZY7XevhH/2xFCWDDT21R9NtMnx
+knn8T0PAU6uHCDcNwvg2ILL0WGk3dGjUyTbHEPybNX7ZqFkxS1tRxo5d6T+gNBF
XHrxIslJkrRcjVKs6iPeFeNERljKrbmuOe4nb/uNu30zIMsph0E=
=+jvY
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.