Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #10591 Arbitrary code execution via well crafted URL in CVS
    Actions
    Infos
    #10591
    Thomas Gerbet (tgerbet)
    2017-08-23 15:43
    2017-08-23 15:11
    10835
    Details
    Arbitrary code execution via well crafted URL in CVS

    Arbitrary code execution can be achieved when a repository is retrieved from a well crafted URL.

    Impact

    Impact are similar than for request #10543. Tuleap has a dependency on hiw own CVS version (package cvs-tuleap in the repositories)

    References

    Blogpost from the security researcher that has found the issue: Compromise On Checkout - Vulnerabilities in SCM Tools
    CVE-2017-12836 has been assigned to this issue for CVS
    Confirmation of the issue for CVS on oss-sec ML

    SCM/CVS
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Declined
    2017-08-23
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #10571 Tuleap Releases 9.12 Delivered 2017-09-18 11:43 Yannis ROSSETTO (rossettoy)
    Empty
    References
    Referenced by request #10591

    Artifact Tracker v5

    rel #10571 9.12
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-08-23 15:43
    RedHat position on this is won't fix [1]. The patch done by the more or less current maintainer [2] does not apply cleanly since the code he maintains has a bit diverged from what we have.

    Exploiting the vulnerability is hard with CVS especially in our context. Like the CVS RedHat distributes, the one in the Tuleap repository won't be fixed.

    [1] https://access.redhat.com/security/cve/cve-2017-12836
    [2] https://www.mirbsd.org/permalinks/wlog-10_e20170811-tg.htm
    • Status changed from Under implementation to Declined
    • Connected artifacts
    • Close date set to 2017-08-23