Developers around the world take note – you must update your version control systems now or face the possibility of being exploited due to a known flaw.
The three primary open-source version control systems – Git, Subversion (svn) and Mercurial – all issued updates today to patch for a critical vulnerability that could potentially enable an attacker to execute arbitrary code. The vulnerabilities were discovered and reported by Brian Neel at GitLab, Joern Schneeweisz of Recurity Labs and Jeff King at GitHub.
For Git, which is widely used for open-source development as the version control system behind the Linux kernel, GitHub and Gitlab, there are multiple releases to patch the new vulnerability. Released today are Git v2.14.1,2.7.6, v2.8.6, v2.9.5, v2.10.4, v2.11.3, v2.12.4, and v2.13.5 to patch for security.
“These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue,” Git maintainer Junio Hamano wrote in a mailing list message. “CVE-2017-9800 and CVE-2017-1000116 are assigned to these systems, respectively, for issues similar to it that are now addressed in their part of this coordinated release.”
The security flaw in question requires a bit of social engineering in order to work.
“A malicious third-party can give a crafted ‘ssh://…’ URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim’s machine being executed,” Git warns in its advisory.
The Apache Subversion (SVN) 1.9.7 update patches the CVE-2017-9800 issue, which is functionally similar to the one patched in Git.
“Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url,” is the one security issue patched in the new SVN update.
The open-source Mercurial version control project is updating for the issue with the new 4.3 and 4.2.3 updates. Mercurial has labelled the flaw as CVE-2017-1000115
“Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks by specifying a hostname starting with -oProxyCommand,” the Mercurial security advisory warns.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.