Sourcetree Security Advisory 2018-01-24

Still need help?

The Atlassian Community is here for you.

Ask the community

Sourcetree - Various vulnerabilities - CVE-2017-14592, CVE-2017-14593, CVE-2017-17458


Summary

CVE-2017-14592 - Various argument and command injection issues in Sourcetree for macOS.


CVE-2017-14593 - Various argument and command injection issues in Sourcetree for Windows.


CVE-2017-17458 - Mercurial: arbitrary command execution in mercurial repo with a git submodule


CVE-2017-17831 - Git LFS: Arbitrary command injection in urls in a git repository with Git LFS enabled.

Advisory Release Date

 10 AM PDT (Pacific Time, -8 hours)

Products
  • Sourcetree for macOS
  • Sourcetree for Windows

Affected Sourcetree Versions

  • Sourcetree for macOS 1.0b2 <= version < 2.7.0
  • Sourcetree for Windows 0.5.1.0 <= version < 2.4.7.0

Fixed Sourcetree Versions

  • Sourcetree for macOS version 2.7.0 and higher.
  • Sourcetree for Windows version 2.4.7.0 and higher.
CVE ID(s)

CVE-2017-14592
CVE-2017-14593
CVE-2017-17458

CVE-2017-17831


Summary of Vulnerability

This advisory discloses critical severity security vulnerabilities which affect Sourcetree for macOS and Sourcetree for Windows.

Customers who have upgraded Sourcetree for macOS to version 2.7.0 are not affected.

Customers who have upgraded Sourcetree for Windows to version 2.4.7.0 are not affected.

Customers who have downloaded and installed Sourcetree for macOS starting with 1.0b2 before version 2.7.0

Customers who have downloaded and installed Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0

Please upgrade your Sourcetree for macOS or Sourcetree for Windows installations immediately to fix the vulnerabilities mentioned in this advisory.


Sourcetree for macOS - Various argument and command injection issues (CVE-2017-14592)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system.

From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREE-5243.

Acknowledgements

Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

Sourcetree for Windows - Various argument and command injection issues  (CVE-2017-14593)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.

From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8256.

Acknowledgements

Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

Sourcetree for macOS and Windows - Mercurial: arbitrary command execution in mercurial repositories with a git submodule  (CVE-2017-17458)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

The embedded version of Mercurial used in Sourcetree for macOS and Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they commit to a Mercurial repository linked in Sourcetree for macOS or Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script. This allows the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS or Sourcetree for Windows. Sourcetree for macOS and Sourcetree for Windows perform background indexing, which allows for this issue to be exploited without a user needing to directly interact with the git subrepository.

From version 1.4.0 of Sourcetree for macOS and 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler.

Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREE-5244.

Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8257.

Acknowledgements

Atlassian would like to credit Zhang Tianqi @ Tophant for reporting this issue to us.

Sourcetree for macOS and Windows - Git LFS: Arbitrary command execution in repositories with Git LFS enabled (CVE-2017-17831)

Severity

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

The embedded version of Git LFS used in Sourcetree for macOS and Windows was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS or Sourcetree for Windows by adding a .lfsconfig file containing a malicious lfs url. This allows them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS or Sourcetree for Windows. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler.

Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are affected by this vulnerability. This issue can be tracked at  https://jira.atlassian.com/browse/SRCTREE-5246.

Versions of Sourcetree for Windows starting with 1.7.0 before version 2.4.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8261.

What You Need to Do

Atlassian recommends that you upgrade to the latest version of Sourcetree:

  • To version 2.7.0 or higher for macOS. 
    NOTE
    : Mac OSX 10.11 or later is requred for Sourcetree 2.5.0 or later.
  • To version 2.4.7.0 or higher for Windows and manually uninstall any older versions of Sourcetree. If you are using the embedded version of Git and or Mercurial, then after updating Sourcetree you should update the embedded version. To update the embedded version of Git select "Options" from the "Tools" menu, then click on the Git tab and then click on the 'Update Embedded Git' button. To update the embedded version of Mercurial select "Options" from the "Tools" menu, then click on the Mercurial tab and then click on the 'Update Embedded Mercurial' button. If you are using the system provided Git and or Mercurial please ensure that you keep the system version up to date.

For a full description of the latest version of Sourcetree, see the release notes for macOS and Windows. You can download the latest versions of Sourcetree from the Sourcetree website.


Support

Atlassian supports Sourcetree through the Atlassian Community. If you have questions or concerns regarding this advisory, please raise them via https://community.atlassian.com/t5/Sourcetree/ct-p/Sourcetree.


References

Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
Last modified on Mar 8, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.