CVE-2017-14176

Published: 05 September 2017

Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attackers to execute arbitrary commands via a bzr+ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-16228, CVE-2017-1000116, and CVE-2017-1000117.

From the Ubuntu security team

Adam Collard discovered that Bazaar did not properly handle host names in 'bzr+ssh://' URLs. A remote attacker could use this to construct a bazaar repository URL that when accessed could run arbitrary code with the privileges of the user.

Priority

CVSS 3 base score: 8.8

Status

Package	Release	Status
bzr Launchpad, Ubuntu, Debian	Upstream	Needs triage



	Ubuntu 18.04 LTS (Bionic Beaver)	Released (2.7.0+bzr6622-6ubuntu1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (2.7.0-2ubuntu3.1)
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (2.6.0+bzr6593-1ubuntu1.6)

References

Bugs

https://bugs.launchpad.net/bzr/+bug/1710979

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM