CVE-2017-14176 in Ubuntu

CVE-2017-14176

Priority

Description

Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers
to execute arbitrary commands via a bzr+ssh URL with an initial dash
character in the hostname, a related issue to CVE-2017-9800,
CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and
CVE-2017-1000117.

Ubuntu-Description

Adam Collard discovered that Bazaar did not properly handle host names
in 'bzr+ssh://' URLs. A remote attacker could use this to construct
a bazaar repository URL that when accessed could run arbitrary code
with the privileges of the user.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
https://usn.ubuntu.com/usn/usn-3411-1
https://usn.ubuntu.com/usn/usn-3411-2

Bugs

https://bugs.launchpad.net/bzr/+bug/1710979

Notes

Package

Source: bzr (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):	released (2.5.1-0ubuntu2.1)
Ubuntu 14.04 ESM (Trusty Tahr):	released (2.6.0+bzr6593-1ubuntu1.6)
Ubuntu 16.04 LTS (Xenial Xerus):	released (2.7.0-2ubuntu3.1)
Ubuntu 18.04 LTS (Bionic Beaver):	released (2.7.0+bzr6622-6ubuntu1)

More Information

Updated: 2019-12-05 18:48:12 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)