CVE-2017-12836

Name of the Vulnerable Software and Affected Versions CVS versions 1.12.x git-annex versions prior to 6.20170818

Description The issue is related to the improper handling of data when interacting with a remote repository over SSH. This could allow a remote attacker to execute arbitrary code by using a specially crafted hostname in the repository URL. For example, a malicious SSH hostname like -oProxyCommand=id;localhost:/bar or ssh://-eProxyCommand=evil/blah could be used to exploit this. The attacker would need to trick the victim into adding a remote repository with such a URL or embedding it in the git-annex branch using initremote.

Recommendations For CVS version 1.12.x, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For git-annex versions prior to 6.20170818, update to version 6.20170818 or later to resolve the issue. As a temporary workaround, consider avoiding the use of initremote with SSH remotes and restricting the addition of new remote repositories to prevent potential exploitation.