FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

GitLab -- two vulnerabilities

Affected packages
7.9.0 <= gitlab <= 8.17.8
9.0.0 <= gitlab <= 9.0.12
9.1.0 <= gitlab <= 9.1.9
9.2.0 <= gitlab <= 9.2.9
9.3.0 <= gitlab <= 9.3.9
9.4.0 <= gitlab <= 9.4.3

Details

VuXML ID abcc5ad3-7e6a-11e7-93f7-d43d7e971a1b
Discovery 2017-08-10
Entry 2017-08-11

GitLab reports:

Remote Command Execution in git client

An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the "Repo by URL" import option in GitLab. The command line git client was not properly escaping command line arguments in URLs using the SSH protocol before invoking the SSH client. A specially crafted URL could be used to execute arbitrary shell commands on the GitLab server.
To fully patch this vulnerability two fixes were needed. The Omnibus versions of GitLab contain a patched git client. For source users who may still be running an older version of git, GitLab now also blocks import URLs containing invalid host and usernames.
This issue has been assigned CVE-2017-12426.

Improper sanitization of GitLab export files on import

GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a patch for a critical directory traversal vulnerability in the GitLab export feature that could be exploited by including symlinks in the export file and then re-importing it to a GitLab instance. This vulnerability was patched by checking for and removing symlinks in these files on import.
Recurity-Labs also determined that this fix did not properly remove symlinks for hidden files. Though not as dangerous as the original vulnerability hidden file symlinks could still be used to steal copies of git repositories belonging to other users if the path to the git repository was known by the attacker. An updated fix has been included in these releases that properly removes all symlinks.
This import option was not made available to non-admin users until GitLab 8.13.0.

References

CVE Name CVE-2017-12426
URL https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/