Re: Fossil-SCM patch fixes RCE in all historic versions

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Thu, Aug 20, 2020 at 11:15:41AM -0400, Richard Hipp wrote:
> Researcher Max Justicz discovered a potential RCE and other
> vulnerabilities in the Fossil distributed version control system.
> (https://fossil-scm.org/)  Patches to address these issues are now
> available for download.  Package maintainers who bundle Fossil are
> encouraged to update their packages without unnecessary delay.
>
> All vulnerabilities require a pre-existing trust relationship between
> the victim and the attacker.  In other words, the attacker must be
> either a site administrator, or someone with check-in privileges on
> the project.  There are no known vulnerabilities to servers from web
> users entering tickets or forum messages or wiki or doing other
> on-line operations.  The attacks require the ability to push, at
> least, and the most serious RCE problem requires the ability to
> configure a server in malicious ways.  If you are unable to upgrade to
> one of the patched versions of Fossil, then you are encouraged at
> least to know well the people from whom you clone or pull.
>
> Precompiled binaries and source tarballs for the patched versions of
> Fossil are available on the Fossil download page
> (http://fossil-scm.org/fossil/uv/download.html).  However, the dozens
> of check-ins that went into generating these patches, and the tickets
> that describe the specifics of the vulnerabilities, will be embargoed
> for a few days.
>
> See the thread on the Fossil Forum
> (https://fossil-scm.org/forum/info/a05ae3ce7760daf6) for follow up
> information or to communicate directly with the Fossil developers.

FWIW, the RCE issue has been assigned CVE-2020-24614 by MITRE.

Regards,
Salvatore