Uploaded image for project: 'Sourcetree for Windows'
  1. Sourcetree for Windows
  2. SRCTREEWIN-7161

Command Injection (CVE-2017-8768)

XMLWordPrintable

    • Severity 1 - Critical

      SourceTree for Windows is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface.

      Affected versions:

      • Versions of SourceTree for Windows starting with 0.8.4b before version 2.0.20.1 are affected by this vulnerability.

      Fix:

      Acknowledgements
      We would like to credit Yu Hong for reporting this issue to us.

      For additional details see the full advisory.

        1. SourceTree.png
          38 kB
        2. image-2017-05-11-13-35-57-752.png
          38 kB
        3. image-2017-05-11-13-35-04-810.png
          12 kB

            [SRCTREEWIN-7161] Command Injection (CVE-2017-8768)

            Alberto T Gomez made changes -
            Link Original: This issue is related to SRCTREE-4738 [ SRCTREE-4738 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: JAC Bug Workflow v3 [ 3450615 ] New: SRCTREE JAC Bug Workflow [ 3738998 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: SourceTree Bug Workflow [ 2015636 ] New: JAC Bug Workflow v3 [ 3450615 ]
            Matt Hart (Inactive) made changes -
            Labels Original: CVE-2017-8768 advisory cvss-critical security New: CVE-2017-8768 advisory security
            Matt Hart (Inactive) made changes -
            Labels Original: CVE-2017-8768 advisory security New: CVE-2017-8768 advisory cvss-critical security

            Chris F added a comment - - edited

            I also am staying on version 1.7 as I'm unable to use the UI in later versions.

             

            Tim - I found the same thing with the missing key being re-added.

            However what I found was it doesn't check the key value of the actual command for changes.

            What I did was modified the command to not allow any parameters - this key value remains the same after restarts.

            Reg file to fix this is below.

            Can the devs confirm this will fix the issue?

             

            Remove-sourcetree-link.reg

            Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\sourcetree\shell\open\command]
@="\"C:\\Program Files (x86)\\Atlassian\\SourceTree\\SourceTree.exe\""

             

             

            Chris F added a comment - - edited I also am staying on version 1.7 as I'm unable to use the UI in later versions.   Tim - I found the same thing with the missing key being re-added. However what I found was it doesn't check the key value of the actual command for changes. What I did was modified the command to not allow any parameters - this key value remains the same after restarts. Reg file to fix this is below. Can the devs confirm this will fix the issue?   Remove-sourcetree-link.reg Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\sourcetree\shell\open\command] @= "\" C:\\Program Files (x86)\\Atlassian\\SourceTree\\SourceTree.exe\""    

            Tim Wylie added a comment -

            I can't see that option in 1.7.0.32509 (Windows) but I appreciate it's an older version so the option might not be available. Thanks again!

            Tim Wylie added a comment - I can't see that option in 1.7.0.32509 (Windows) but I appreciate it's an older version so the option might not be available. Thanks again!
            Tim Wylie made changes -
            Attachment New: SourceTree.png [ 281013 ]

            minnsey added a comment -

            sourcetree79

            You should uncheck the "Use this version of SourceTree for URI association" in the Toots/Options/General tab in SourceTree this will prevent the registry setting being recreated.

            Alternatively toggling the same checkbox off/on in v2.0.20.1 will reset the URI association to use v2.0.20.1

            minnsey added a comment - sourcetree79 You should uncheck the "Use this version of SourceTree for URI association" in the Toots/Options/General tab in SourceTree this will prevent the registry setting being recreated. Alternatively toggling the same checkbox off/on in v2.0.20.1 will reset the URI association to use v2.0.20.1

            Tim Wylie added a comment - - edited

            Thanks Michael!

            For anyone in the same situation, I think the only action required to disable the protocol is to remove this registry key (if it exists):

            HKEY_CLASSES_ROOT\sourcetree

            Edit: when the program launches it re-adds the registry entry...I disabled it by restricting permissions on the key. I can't find anything in options to turn this off, have I missed something?

            Tim Wylie added a comment - - edited Thanks Michael! For anyone in the same situation, I think the only action required to disable the protocol is to remove this registry key (if it exists): HKEY_CLASSES_ROOT\sourcetree Edit: when the program launches it re-adds the registry entry...I disabled it by restricting permissions on the key. I can't find anything in options to turn this off, have I missed something?

              Unassigned Unassigned
              aminozhenko alexmin (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              15 Start watching this issue

                Created:
                Updated:
                Resolved: