Opened 6 years ago
Closed 6 years ago
#55439 closed defect (fixed)
bzr: Backport fix for CVE-2017-14176
| Reported by: | raimue (Rainer Müller) | Owned by: | raimue (Rainer Müller) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | security | Cc: | |
| Port: | bzr |
Description
Upstream issue: https://bugs.launchpad.net/bzr/+bug/1710979
Bazaar suffers from the same bug that affects Mercuril and Git: A hostname that starts with a - is passed on verbatim to the ssh command, which means that the host bit in the URL can be used to set arbitrary SSH options. E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path" Presumably this only affects users that are using the Subprocess SSH vendor, and not those using the Paramiko SSH Vendor.
Change History (2)
comment:1 Changed 6 years ago by raimue (Rainer Müller)
comment:2 Changed 6 years ago by raimue (Rainer Müller)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
Potential patch: https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/view/head:/debian/patches/27_fix_sec_ssh