[Bug 1710979] Re: bzr+ssh URLs don't strip SSH options
Jelmer Vernooij
1710979 at bugs.launchpad.net
Sat Dec 9 03:25:28 UTC 2017
https://people.canonical.com/~ubuntu-
security/cve/2017/CVE-2017-14176.html claims that "release 3.0.0" of bzr
fixes this issue, but there is no such release.
Also, it claims that Adam Collard found the issue - while it was Augie
who first made mention of it.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bzr in Ubuntu.
https://bugs.launchpad.net/bugs/1710979
Title:
bzr+ssh URLs don't strip SSH options
Status in Breezy:
Fix Released
Status in Bazaar:
Confirmed
Status in bzr package in Ubuntu:
Fix Released
Bug description:
Bazaar suffers from the same bug that affects Mercuril and Git:
A hostname that starts with a - is passed on verbatim to the ssh
command, which means that the host bit in the URL can be used to set
arbitrary SSH options.
E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path"
Presumably this only affects users that are using the Subprocess SSH
vendor, and not those using the Paramiko SSH Vendor.
See e.g. https://security-tracker.debian.org/tracker/CVE-2017-1000117
for the Git advisory.
To manage notifications about this bug go to:
https://bugs.launchpad.net/brz/+bug/1710979/+subscriptions
More information about the foundations-bugs
mailing list