bzr+ssh URLs don't strip SSH options

Bug #1710979 reported by Jelmer Vernooij
306
This bug affects 6 people
Affects Status Importance Assigned to Milestone
Bazaar
Confirmed
Undecided
Unassigned
Breezy
Fix Released
Critical
Jelmer Vernooij
bzr (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

Bazaar suffers from the same bug that affects Mercuril and Git:

A hostname that starts with a - is passed on verbatim to the ssh command, which means that the host bit in the URL can be used to set arbitrary SSH options.

E.g. bzr log "bzr+ssh://-oProxyCommand=ls/path"

Presumably this only affects users that are using the Subprocess SSH vendor, and not those using the Paramiko SSH Vendor.

See e.g. https://security-tracker.debian.org/tracker/CVE-2017-1000117 for the Git advisory.

Jelmer Vernooij (jelmer)
Changed in bzr:
status: New → Confirmed
Changed in brz:
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → Critical
Revision history for this message
Augie Fackler (durin42) wrote :

Subversion explored poking a -- on the ssh command string to be safe, but discovered that putty's implementation doesn't understand -- so it would have broken Windows users.

Revision history for this message
Jelmer Vernooij (jelmer) wrote :

I've posted an initial fix for Breezy in https://code.launchpad.net/~jelmer/brz/fix-ssh-sec

Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Bazaar distinguishes between the different implementations, so I've opted for adding -- for openssh and print an error for all the other ones (including plink - putty's implementation).

Jelmer Vernooij (jelmer)
Changed in brz:
assignee: nobody → Jelmer Vernooij (jelmer)
milestone: none → 3.0.0
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bzr (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks, I've requested a CVE for Bazaar.

Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Thanks. We can cherry-pick the patch from Breezy for Bazaar.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Can I make this bug public?

Revision history for this message
Jelmer Vernooij (jelmer) wrote :

I've just done so.

information type: Private Security → Public
information type: Public → Public Security
Jelmer Vernooij (jelmer)
Changed in brz:
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.7.0+bzr6619-7ubuntu0.1

---------------
bzr (2.7.0+bzr6619-7ubuntu0.1) zesty-security; urgency=medium

  * SECURITY UPDATE: Possible arbitrary code execution on clients
    through malicious bzr+ssh URLs
    - debian/patches/24_ssh_hostnames-lp1710979: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - LP: #1710979

 -- Steve Beattie <email address hidden> Mon, 28 Aug 2017 21:54:13 -0700

Changed in bzr (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.6.0+bzr6593-1ubuntu1.6

---------------
bzr (2.6.0+bzr6593-1ubuntu1.6) trusty-security; urgency=medium

  * SECURITY UPDATE: Possible arbitrary code execution on clients
    through malicious bzr+ssh URLs
    - debian/patches/24_ssh_hostnames-lp1710979: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - LP: #1710979

 -- Steve Beattie <email address hidden> Mon, 28 Aug 2017 23:11:14 -0700

Changed in bzr (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.7.0-2ubuntu3.1

---------------
bzr (2.7.0-2ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Possible arbitrary code execution on clients
    through malicious bzr+ssh URLs
    - debian/patches/24_ssh_hostnames-lp1710979: ensure that host
      arguments to ssh cannot be treated as ssh options.
    - LP: #1710979

 -- Steve Beattie <email address hidden> Mon, 28 Aug 2017 22:04:57 -0700

Changed in bzr (Ubuntu):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
Changed in bzr (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Hi Marc, any news on the CVE?

Revision history for this message
Emily Ratliff (emilyr) wrote :

CVE-2017-14176 has been assigned for this vulnerability.

Haw Loeung (hloeung)
Changed in bzr:
status: Confirmed → Fix Released
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

This isn't actually fixed in bzr upstream, just in breezy and in the ubuntu package.

Changed in bzr:
status: Fix Released → Confirmed
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-14176.html claims that "release 3.0.0" of bzr fixes this issue, but there is no such release.

Also, it claims that Adam Collard found the issue - while it was Augie who first made mention of it.

Revision history for this message
Jelmer Vernooij (jelmer) wrote :

+ubuntu-security

Can you please fix the USN to remove "3.0" as version with a fix from the list? This is what everybody else seems to be copying.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Sure, I updated the tracker. Not sure why it listed 3.0.0.

Revision history for this message
Bernhard M. Wiedemann (ubuntubmw) wrote :

fix is still missing in bzr repo

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.