bzr+ssh URLs don't strip SSH options
Bug #1710979 reported by
Jelmer Vernooij
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Confirmed
|
Undecided
|
Unassigned | ||
Breezy |
Fix Released
|
Critical
|
Jelmer Vernooij | ||
bzr (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Bazaar suffers from the same bug that affects Mercuril and Git:
A hostname that starts with a - is passed on verbatim to the ssh command, which means that the host bit in the URL can be used to set arbitrary SSH options.
E.g. bzr log "bzr+ssh:
Presumably this only affects users that are using the Subprocess SSH vendor, and not those using the Paramiko SSH Vendor.
See e.g. https:/
Related branches
CVE References
Changed in bzr: | |
status: | New → Confirmed |
Changed in brz: | |
status: | New → Confirmed |
status: | Confirmed → Triaged |
importance: | Undecided → Critical |
Changed in brz: | |
assignee: | nobody → Jelmer Vernooij (jelmer) |
milestone: | none → 3.0.0 |
Changed in brz: | |
status: | Triaged → Fix Released |
Changed in bzr (Ubuntu): | |
importance: | Undecided → Critical |
Changed in bzr: | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
Subversion explored poking a -- on the ssh command string to be safe, but discovered that putty's implementation doesn't understand -- so it would have broken Windows users.