3 https://bugs.launchpad.net/bzr/+bug/1710979
4 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176
6 Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1:
8 https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204
10 Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs
11 Bug: https://bugs.launchpad.net/brz/+bug/1710979
12 Bug-Debian: https://bugs.debian.org/874429
13 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176
15 Author: Jelmer Vernooij <jelmer@jelmer.uk>
16 Last-Update: 2017-11-26
18 === modified file 'bzrlib/tests/test_ssh_transport.py'
19 --- old/bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000
20 +++ new/bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000
22 SSHCorpSubprocessVendor,
31 class SubprocessVendorsTests(TestCase):
33 + def test_openssh_command_tricked(self):
34 + vendor = OpenSSHSubprocessVendor()
36 + vendor._get_vendor_specific_argv(
37 + "user", "-oProxyCommand=blah", 100, command=["bzr"]),
38 + ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
39 + "-oClearAllForwardings=yes",
40 + "-oNoHostAuthenticationForLocalhost=yes",
44 + "-oProxyCommand=blah", "bzr"])
46 def test_openssh_command_arguments(self):
47 vendor = OpenSSHSubprocessVendor()
50 "-oNoHostAuthenticationForLocalhost=yes",
58 "-oNoHostAuthenticationForLocalhost=yes",
61 - "-s", "host", "sftp"]
62 + "-s", "--", "host", "sftp"]
65 + def test_openssh_command_tricked(self):
66 + vendor = SSHCorpSubprocessVendor()
69 + vendor._get_vendor_specific_argv,
70 + "user", "-oProxyCommand=host", 100, command=["bzr"])
72 def test_sshcorp_command_arguments(self):
73 vendor = SSHCorpSubprocessVendor()
79 + def test_lsh_command_tricked(self):
80 + vendor = LSHSubprocessVendor()
83 + vendor._get_vendor_specific_argv,
84 + "user", "-oProxyCommand=host", 100, command=["bzr"])
86 def test_lsh_command_arguments(self):
87 vendor = LSHSubprocessVendor()
90 "--subsystem", "sftp", "host"]
93 + def test_plink_command_tricked(self):
94 + vendor = PLinkSubprocessVendor()
97 + vendor._get_vendor_specific_argv,
98 + "user", "-oProxyCommand=host", 100, command=["bzr"])
100 def test_plink_command_arguments(self):
101 vendor = PLinkSubprocessVendor()
104 === modified file 'bzrlib/transport/ssh.py'
105 --- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000
106 +++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000
108 from paramiko.sftp_client import SFTPClient
111 +class StrangeHostname(errors.BzrError):
112 + _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
119 # tests, but beware of using PIPE which may hang due to not being read.
120 _stderr_target = None
123 + def _check_hostname(arg):
124 + if arg.startswith('-'):
125 + raise StrangeHostname(hostname=arg)
127 def _connect(self, argv):
128 # Attempt to make a socketpair to use as stdin/stdout for the SSH
129 # subprocess. We prefer sockets to pipes because they support
131 if username is not None:
132 args.extend(['-l', username])
133 if subsystem is not None:
134 - args.extend(['-s', host, subsystem])
135 + args.extend(['-s', '--', host, subsystem])
137 - args.extend([host] + command)
138 + args.extend(['--', host] + command)
141 register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
144 def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
146 + self._check_hostname(host)
147 args = [self.executable_path, '-x']
149 args.extend(['-p', str(port)])
152 def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
154 + self._check_hostname(host)
155 args = [self.executable_path]
157 args.extend(['-p', str(port)])
160 def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
162 + self._check_hostname(host)
163 args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
165 args.extend(['-P', str(port)])