heroku/base-images

Please update the Heroku-16 images to include the fix for git CVE-2017-1000117

edmorley opened this issue · 3 comments

Currently the Heroku-16 images are using version 1:2.7.4-0ubuntu1 of the Ubuntu git package:

$ heroku run -- dpkg-query --show --showformat=\'\${Version}\' git
Running dpkg-query --show --showformat='${Version}' git on heroku-16-test... up, run.8077 (Free)
1:2.7.4-0ubuntu1

This is missing:

git (1:2.7.4-0ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Arbitrary code execution on clients through
    malicious ssh URLs.
    - debian/patches/CVE-2017-1000117.patch: filter out hostnames that
      would interpreted as cli arguments to ssh
    - debian/diff/0002-transport-expose-git_tcp_connect-and-friends-in-new-t.diff:
      update to adjust for changes from CVE-2017-1000117.patch.
    - CVE-2017-1000117

 -- Steve Beattie <SNIP>  Thu, 10 Aug 2017 14:15:28 -0700

git (1:2.7.4-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: git shell restriction bypass
    - debian/patches/CVE-2017-8386.patch: disallow repo names beginning
      with dash in shell.c.
    - CVE-2017-8386

 -- Marc Deslauriers <SNIP>  Fri, 12 May 2017 09:29:55 -0400

(From http://changelogs.ubuntu.com/changelogs/pool/main/g/git/git_2.7.4-0ubuntu1.2/changelog)

These fixes are also missing:
https://usn.ubuntu.com/usn/usn-3302-1/
https://usn.ubuntu.com/usn/usn-3297-1/
https://usn.ubuntu.com/usn/usn-3274-1/
https://usn.ubuntu.com/usn/usn-3282-1/
https://usn.ubuntu.com/usn/usn-3272-1/
https://usn.ubuntu.com/usn/usn-3272-2/
https://usn.ubuntu.com/usn/usn-3318-1/
https://usn.ubuntu.com/usn/usn-3212-1/
https://usn.ubuntu.com/usn/usn-3212-2/

Judging from the timestamps in the image, I don't think it's been updated at all since 24th Feb 2017, which is slightly concerning.

Is there a process in place for generating regular updates (a) every N months, (b) in response to new CVE announcements?

tt commented

We release new stack images mostly based on advisories from our own security team. The timeline for patching varies by severity. Some of the factors that contribute is how the vulnerability would be exploited, the likelihood for an exploit and if workarounds exist.

In the case of CVE-2017-1000117, we updated our own Git service within hours as that was a high-risk target. It's much less likely that apps running on Heroku clones repositories and even less likely that they do so based on arbitrary user input so testing for regressions became more important than rolling out a fix immediately. Apps that might be affected could set GIT_ALLOW_PROTOCOL which we intended to post to our changelog but sadly missed.

Testing for regressions is particularly important. We've seen a number of odd cases such as this EGLIBC bug and this OpenSSL bug. Sometimes these errors affect many apps and are easy to spot but sometimes they only manifest due to our scale and makes them almost impossible to detect to anyone but the affected customer.

Better tooling for building stack images is definitely part of the answer. We should catch regressions like the changed dependency tree (and now will thanks to #73) and we should make it possible to introduce urgent updates to specific packages without touching anything else. These are things we'll continue to work on.

Anyway, the Heroku-16 stack image was updated early last week and the Cedar-14 stack image is now finally updated based on latest packages.

Thank you for reporting this issue.

That makes sense - thank you for the image update & the extra context :-)