Build Update for libvirt/libvirt ------------------------------------- Build: #445 Status: Broken Duration: 1 hour, 9 minutes, and 0 seconds Commit: e4cb850 (master) Author: Daniel P. Berrange Message: rpc: avoid ssh interpreting malicious hostname as arguments Inspired by the recent GIT / Mercurial security flaws (http://blog.recurity-labs.com/2017-08-10/scm-vulns), consider someone/something manages to feed libvirt a bogus URI such as: virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system In this case, the hosname "-oProxyCommand=gnome-calculator" will get interpreted as an argument to ssh, not a hostname. Fortunately, due to the set of args we have following the hostname, SSH will then interpret our bit of shell script that runs 'nc' on the remote host as a cipher name, which is clearly invalid. This makes ssh exit during argv parsing and so it never tries to run gnome-calculator. We are lucky this time, but lets be more paranoid, by using '--' to explicitly tell SSH when it has finished seeing command line options. This forces it to interpret "-oProxyCommand=gnome-calculator" as a hostname, and thus see a fail from hostname lookup. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> View the changeset: https://github.com/libvirt/libvirt/compare/ed8661a309c9...e4cb8500810a View the full build log and details: https://travis-ci.org/libvirt/libvirt/builds/269683248?utm_source=email&utm_medium=notification -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications