Upstream information

CVE-2017-12836 at MITRE

Description

CVS 1.12.x, when configured to use SSH for remote repositories, might allow remote attackers to execute arbitrary code via a repository URL with a crafted hostname, as demonstrated by "-oProxyCommand=id;localhost:/bar."

SUSE information

Overall state of this security issue: Reopen

This issue is currently rated as having critical severity.

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 5.1 10
Vector AV:N/AC:H/Au:N/C:P/I:P/A:P AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector Network Network
Access Complexity High Low
Authentication None None
Confidentiality Impact Partial Complete
Integrity Impact Partial Complete
Availability Impact Partial Complete
CVSS v3 Scores
  SUSE
Base Score 5
Vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Access Vector Network
Access Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Impact Low
Integrity Impact Low
Availability Impact Low

Note from the SUSE Security Team

This can only be exploited if the checked out URL can be provided. CVS itself does not have the concept of externals like subversion or git, so this can not be injected automatically by malicious servers. So user interaction is likely necessary to get this exploited.

SUSE Bugzilla entries: 1052481 [RESOLVED], 1052696 [RESOLVED / FIXED], 1052932 [RESOLVED], 1053364 [RESOLVED / FIXED], 1066430 [IN_PROGRESS]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 12 SP2
  • cvs >= 1.12.12-182.3.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP2-2017-1499
SUSE Linux Enterprise Desktop 12 SP3
  • cvs >= 1.12.12-182.3.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP3-2017-1499
SUSE Linux Enterprise Server 11 SP4
  • cvs >= 1.12.12-144.23.5.3.1
  • cvs-doc >= 1.12.12-144.23.5.3.1
Patchnames:
slessp4-cvs-13279
SUSE Linux Enterprise Server 12 SP2
  • cvs >= 1.12.12-182.3.1
  • cvs-doc >= 1.12.12-182.3.1
Patchnames:
SUSE-SLE-SERVER-12-SP2-2017-1499
SUSE Linux Enterprise Server 12 SP3
  • cvs >= 1.12.12-182.3.1
  • cvs-doc >= 1.12.12-182.3.1
Patchnames:
SUSE-SLE-SERVER-12-SP3-2017-1499
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • cvs >= 1.12.12-182.3.1
  • cvs-doc >= 1.12.12-182.3.1
Patchnames:
SUSE-SLE-RPI-12-SP2-2017-1499
SUSE Linux Enterprise Software Development Kit 11 SP4
  • cvs >= 1.12.12-144.23.5.3.1
  • cvs-doc >= 1.12.12-144.23.5.3.1
Patchnames:
sdksp4-cvs-13279
openSUSE Leap 42.2
  • cvs >= 1.12.12-185.3.1
  • cvs-debuginfo >= 1.12.12-185.3.1
  • cvs-debugsource >= 1.12.12-185.3.1
  • cvs-doc >= 1.12.12-185.3.1
Patchnames:
openSUSE-2017-1060
openSUSE Leap 42.3
  • cvs >= 1.12.12-188.1
  • cvs-debuginfo >= 1.12.12-188.1
  • cvs-debugsource >= 1.12.12-188.1
  • cvs-doc >= 1.12.12-188.1
Patchnames:
openSUSE-2017-1060


List of planned updates

The following information is the current evaluation information for this security issue. It might neither be accurate nor complete, Use at own risk.
Product(s) Source package
  • SUSE Linux Enterprise Module for Public Cloud 12
python-dulwich


Status of this issue by product and package

Product(s) Source package State
SUSE Linux Enterprise Desktop 12 SP2 cvs Released
SUSE Linux Enterprise Desktop 12 SP3 cvs Released
SUSE Linux Enterprise SDK 11 SP4 cvs Released
SUSE Linux Enterprise Server 11 SP3 LTSS cvs Affected
SUSE Linux Enterprise Server 11 SP4 cvs Released
SUSE Linux Enterprise Server 12 GA cvs Affected
SUSE Linux Enterprise Server 12 SP1 cvs Affected
SUSE Linux Enterprise Server 12 SP2 cvs Released
SUSE Linux Enterprise Server 12 SP2 for Raspberry Pi cvs Released
SUSE Linux Enterprise Server 12 SP3 cvs Released