[SRCTREEWIN-7663] Remote Code Execution via Git and Mercurial - (CVE-2017-1000117, CVE-2017-1000115, CVE-2017-1000116) - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 2.1.10.0
Affects Version/s: None
Component/s: None
Labels:

Symptom Severity:
Severity 1 - Critical

SourceTree for Windows is affected by vulnerabilities found in the Git and Mercurial software. This vulnerability can be triggered through a malicious repository when it is checked out using SourceTree. From version 0.8.4b of SourceTree for Windows this vulnerability can be triggered from a webpage through the use of the SourceTree URI handler.

Affected versions:

Versions of SourceTree for Windows starting with 0.5.1.0 before version 2.1.10 are affected by this vulnerability.

Fix:

Upgrade SourceTree for Windows to version 2.1.10 or higher from https://www.sourcetreeapp.com/

For additional details see the full advisory.

relates to

SRCTREE-4904 Remote Code Execution via Git and Mercurial - (CVE-2017-1000117, CVE-2017-1000115, CVE-2017-1000116)

Closed

Yoichi NAKAYAMA added a comment - 24/Aug/2017 7:37 AM

SourceTree Version 2.1.11.0 was released, and I get git version 2.4.1 after upgrading it manually from SourceTree configuration dialog. Thanks!

https://www.sourcetreeapp.com/update/windows/ga/ReleaseNotes_2.1.11.0.html

Yoichi NAKAYAMA added a comment - 24/Aug/2017 7:37 AM SourceTree Version 2.1.11.0 was released, and I get git version 2.4.1 after upgrading it manually from SourceTree configuration dialog. Thanks! https://www.sourcetreeapp.com/update/windows/ga/ReleaseNotes_2.1.11.0.html

Yoichi NAKAYAMA added a comment - 18/Aug/2017 2:47 AM

Hi. I've updated SourceTree for Windows to Version 2.1.10.0, but it downloads PortableGit-2.13.2-32-bit.7z.exe from downloads.atlassian.com. I think it is CVE-2017-1000117 vulnerable. When is the fixed version delivered?

Yoichi NAKAYAMA added a comment - 18/Aug/2017 2:47 AM Hi. I've updated SourceTree for Windows to Version 2.1.10.0, but it downloads PortableGit-2.13.2-32-bit.7z.exe from downloads.atlassian.com. I think it is CVE-2017-1000117 vulnerable. When is the fixed version delivered?

Assignee:: Unassigned

Reporter:: Matt Hart (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 31/Jul/2017 12:14 AM

Updated:: 26/Aug/2019 5:13 AM

Resolved:: 31/Jul/2017 12:15 AM

Sourcetree for Windows

Details

Description

Attachments

Issue Links

Forms

Activity

[SRCTREEWIN-7663] Remote Code Execution via Git and Mercurial - (CVE-2017-1000117, CVE-2017-1000115, CVE-2017-1000116)

Collapse comment: Yoichi NAKAYAMA added a comment - 24/Aug/2017 7:37 AM

Expand comment: Yoichi NAKAYAMA added a comment - 24/Aug/2017 7:37 AM

Collapse comment: Yoichi NAKAYAMA added a comment - 18/Aug/2017 2:47 AM

Expand comment: Yoichi NAKAYAMA added a comment - 18/Aug/2017 2:47 AM

People

Dates