ESB-2018.2639 - [Debian] git-annex: Multiple vulnerabilities 2018-09-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2639
                         git-annex security update
                             6 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           git-annex
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10859 CVE-2018-10857 CVE-2017-12976

Reference:         ESB-2018.1958
                   ESB-2017.2746

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/09/msg00004.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : git-annex
Version        : 5.20141125+oops-1+deb8u2
CVE ID         : CVE-2017-12976 CVE-2018-10857 CVE-2018-10859
Debian Bug     : 873088

The git-annex package was found to have multiple vulnerabilities when
operating on untrusted data that could lead to arbitrary command
execution and encrypted data exfiltration.

CVE-2017-12976

    git-annex before 6.20170818 allows remote attackers to execute
    arbitrary commands via an ssh URL with an initial dash character
    in the hostname, as demonstrated by an ssh://-eProxyCommand= URL,
    a related issue to CVE-2017-9800, CVE-2017-12836,
    CVE-2017-1000116, and CVE-2017-1000117.

CVE-2018-10857

    git-annex is vulnerable to a private data exposure and
    exfiltration attack. It could expose the content of files located
    outside the git-annex repository, or content from a private web
    server on localhost or the LAN.

CVE-2018-10859

    git-annex is vulnerable to an Information Exposure when decrypting
    files. A malicious server for a special remote could trick
    git-annex into decrypting a file that was encrypted to the user's
    gpg key. This attack could be used to expose encrypted data that
    was never stored in git-annex

For Debian 8 "Jessie", these problems have been fixed in version
5.20141125+oops-1+deb8u2.

We recommend that you upgrade your git-annex packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAluQLnEACgkQPqHd3bJh
2Xt2iwf/Qeq7KERWFNb9xI6vYSC2dyXLCeROhVsEOOEdhUUQoMwoQ608Nz8u2pVg
anIvMbNs7q7bSwIfUnw4yCOmX6CVDHoaOChx3KUy8w19TT4wTTX8xHVf3VLs3tA2
2fBHLOFRcvWUijswzaVnPSX+PaZWQ9z2oUE7U76QeRnx7EQzIQedOf0jotw+NM7y
SSIpJq/QWR5UHGxyLM8LF9Lt8Duwua/ESnOzUu8hdYcduO+iN4eRV9zemQxxt77U
0sqBdYzeH6CgavBv4eOJaB5R0Cvkb0Q5jKRZwr2J5fCJGbIYCXOl7sD80GCLWomp
Fvy2mgMN/OvQK0nHbmZoBLZKa79DuA==
=dxA5
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5BtdmaOgq3Tt24GAQglYhAAixKfUHlsve4Elt7gxQErXuYlELPmL9TT
EkthM/ujzHhaBFwWOpoF7l5yMy4RbGkLCWQP0nNxgiv9D6rUuDXusancLrlPvTaf
btL58asy1O8/i7SfF6Rz/ih0C/aOjA7Oqoh5yaJxAk2KW4HLBIuTPZG6y0VXwlZA
UINhledUl62nywlwX2uY+bCqzFaIuyek86FHoNUf0pPglTvr7rMXhZuK6ecIEf/q
q+i8yGKOnMzHnGtBWxd/hnxm1/G5slksuzpCHPhHmt975RJKGgIYUAqSWMiQfdoe
rSgz0u2D+Cz0Rw8H+UG0B5qlX3nbr0rbXK0gAT6ji/Y1WND2qHW7tBgn9GqZmHsR
XVV5NTGEG7viDHGt1NjmXJJ5saQAbINrmjSEE5SWJgdZvt+jikQQuKfHvdk9ZROl
/z1i2OE6zj53/nsfV1Vzj2PBROIcuMGiVpLfa3Vi1w3/rl2a4swaHlzJq242WX0Z
TNBwY8BTInwwiLLqbji5CI/V/iIBRockCOvIriI1ElFpkKOI6xVJtg15YsCZo2ub
FiCUH4tXTXBglPiaga49AbZ44BnskZxqka04BqJ/ZSnqz94n2fwdxDtgz/U6nnD4
NBWlkIdQDB7xOKAtvObXpkezIu1Nnx924SayOinRddQ5LZdIRDa9hEZucMUScIRf
Kf+v5hZro44=
=5Mpz
-----END PGP SIGNATURE-----

« Back to bulletins