SB2018082230 - Input validation error in myrepos (Alpine package)
Published: August 22, 2018
Security Bulletin ID
SB2018082230
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2018-7032)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
webcheckout in myrepos through 1.20171231 does not sanitize URLs that are passed to git clone, allowing a malicious website operator or a MitM attacker to take advantage of it for arbitrary code execution, as demonstrated by an "ext::sh -c" attack or an option injection attack.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=f0dc3a075c84dd1ab8b01e45fbc4e8f66f8952b8
- https://git.alpinelinux.org/aports/commit/?id=ae0cec2a723e93a224deb61c222e91f40c80e444
- https://git.alpinelinux.org/aports/commit/?id=a7953c341a585f8d48e4576758e0d33dd3287540
- https://git.alpinelinux.org/aports/commit/?id=b8aa48b63f0e9c71ac7f32c88567de03ee626f78