-
Bug
-
Resolution: Fixed
-
Highest
-
1.4.0
-
None
-
Severity 1 - Critical
SourceTree for Mac is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface.
Affected versions:
- Versions of SourceTree for Mac starting with 1.4.0 before version 2.5.1 are affected by this vulnerability.
Fix:
- Upgrade SourceTree for Mac to version 2.5.1 or higher from https://www.sourcetreeapp.com/
Acknowledgements
We would like to credit Yu Hong for reporting this issue to us.
For additional details see the full advisory.
[SRCTREE-4738] Command Injection (CVE-2017-8768)
| Link |
Original:
This issue relates to |
| Workflow | Original: JAC Bug Workflow v3 [ 3369774 ] | New: SRCTREE JAC Bug Workflow [ 3737013 ] |
| Workflow | Original: SourceTree Bug Workflow [ 2015638 ] | New: JAC Bug Workflow v3 [ 3369774 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Labels | Original: CVE-2017-8768 advisory cvss-high security | New: CVE-2017-8768 advisory command-injection cvss-high injection security |
| Labels | Original: CVE-2017-8768 advisory cvss-high no-advisory-required security | New: CVE-2017-8768 advisory cvss-high security |
| Attachment | New: Screen Shot 2017-05-11 at 6.21.24 PM.png [ 281016 ] |
@Brian Ganninger Have you tried it also with the Info.plist modification as mentioned in step 1? I just re-tested this... it looks like if I modify the Info.plist to comment out the CFBundleURLTypes entry and I re-register SourceTree with LaunchServices using the following command, the URL scheme still doesn't trigger SourceTree:
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -v /Applications/SourceTree.app/
I also tried uncommenting the entry in Info.plist and un-registering then re-registering it and the URL Scheme once again triggers SourceTree. This seems to imply the URL scheme is permanently disabled by editing the Info.plist along with unregistering SourceTree unless I'm missing something?
Hi cmc,
Unfortunately, not at the moment. We support two versions of macOS and do not support older versions of SourceTree. As a best practice, we recommend updating to the most current version to get new features, bug fixes, and security patches. Thank you for reaching out.
Best,
Rahul
Product Manager | SourceTree
Ah yes I forgot about the app signature. If I understand your screenshot correctly, it looks like the later versions of SourceTree automatically checks the signature on launch? I guess my version of SourceTree is too old to even have that lol. I can manually verify that the signature validation fails though:
$ codesign -dv --verbose=4 /Applications/SourceTree.app/
/Applications/SourceTree.app/: invalid signature (code or signature have been modified)
Unfortunately I can't update SourceTree on my OSX version and I think I'd rather live with an incorrect signature than a potential drive-by exploit.
BTW, this is kind of off-topic but how do you @ mention correctly? Doesn't seem to work