CVE-2017-1000117

Name of the Vulnerable Software and Affected Versions git versions prior to 6.20170818 git-scm git (affected versions not specified)

Description A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. This can be done by placing the URL in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the issue. The git-annex command is also vulnerable to command injection via malicious SSH hostname. If the hostname parsed from the URL is something like -eProxyCommand=evil, this could result in arbitrary local code execution. An attacker could exploit this by tricking the victim into adding a remote something like ssh://-eProxyCommand=evil/blah or by using initremote with an SSH remote and embedding the URL in the git-annex branch.

Recommendations For git versions prior to 6.20170818, update to version 6.20170818 or later to resolve the issue. For git-scm git, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider avoiding the use of git clone --recurse-submodules with untrusted projects and restricting the use of git-annex with SSH remotes until a patch is available. Avoid using URLs that start with ssh:// and contain potentially malicious hostnames, such as those starting with -eProxyCommand=.