-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/lIIyO. CVE ID: * CVE-2017-14592 * CVE-2017-14593 * CVE-2017-17458 * CVE-2017-17831 Product: Sourcetree Affected Sourcetree product versions: Sourcetree for macOS 1.0b2 <= version < 2.7.0 Sourcetree for Windows 0.5.1.0 <= version < 2.4.7.0 Fixed Sourcetree product versions: * Versions of SourceTree for macOS, equal to and above 2.7.0 contain a fix for this issue. * Versions of SourceTree for Windows, equal to and above 2.4.7.0 contain a fix for this issue. Summary: This advisory discloses critical severity security vulnerabilities. Customers who have upgraded Sourcetree for macOS to version 2.7.0 are not affected. Customers who have upgraded Sourcetree for Windows to version 2.4.7.0 are not affected. Customers who have downloaded and installed Sourcetree for macOS starting with 1.0b2 before version 2.7.0 Customers who have downloaded and installed Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 Please upgrade your Sourcetree for macOS or Sourcetree for Windows installations immediately to fix the vulnerabilities mentioned in this advisory. Sourcetree for macOS - Various argument and command injection issues (CVE-2017-14592) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Sourcetree for macOS had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. - From version 1.4.0 of Sourcetree for macOS, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREE-5243. Acknowledgements: Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us. Sourcetree for Windows - Various argument and command injection issues (CVE-2017-14593) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: Sourcetree for Windows had several argument and command injection bugs in Mercurial and Git repository handling. An attacker with permission to commit to a repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. From version 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8256. Acknowledgements: Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us. Sourcetree for macOS and Windows - Mercurial: arbitrary command execution in mercurial repositories with a git submodule (CVE-2017-17458) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: The embedded version of Mercurial used in Sourcetree for macOS and Sourcetree for Windows was vulnerable to CVE-2017-17458. An attacker can exploit this issue if they commit to a Mercurial repository linked in Sourcetree for macOS or Sourcetree for Windows by adding a git subrepository specifying arbitrary code in the form of a .git/hooks/post-update script. This allows the attacker to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS or Sourcetree for Windows. Sourcetree for macOS and Sourcetree for Windows perform background indexing, which allows for this issue to be exploited without a user needing to directly interact with the git subrepository. From version 1.4.0 of Sourcetree for macOS and 0.8.4b of Sourcetree for Windows, this vulnerability can be triggered from a webpage through the use of the Sourcetree URI handler. Versions of Sourcetree for macOS starting with 1.0b2 before version 2.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREE-5244. Versions of Sourcetree for Windows starting with 0.5.1.0 before version 2.4.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8257. Acknowledgements: Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us. Sourcetree for macOS and Windows - Git LFS: Arbitrary command execution in repositories with Git LFS enabled (CVE-2017-17831) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: The embedded version of Git LFS used in Sourcetree for macOS and Windows was vulnerable to CVE-2017-17831. An attacker can exploit this issue if they can commit to a git repository linked in Sourcetree for macOS or Sourcetree for Windows by adding a .lfsconfig file containing a malicious lfs url. This allows them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS or Sourcetree for Windows. This vulnerability can also be triggered from a web page through the use of the Sourcetree URI handler. Versions of Sourcetree for macOS starting with 2.1 before version 2.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREE-5246. Versions of Sourcetree for Windows starting with 1.7.0 before version 2.4.7.0 are affected by this vulnerability. This issue can be tracked at https://jira.atlassian.com/browse/SRCTREEWIN-8261. Remediation: Atlassian recommends that you upgrade to the latest version of Sourcetree: * To version 2.7.0 or higher for macOS. NOTE: Mac OSX 10.11 or later is requred for Sourcetree 2.5.0 or later. * To version 2.4.7.0 or higher for Windows and manually uninstall any older versions of Sourcetree. If you are using the embedded version of Git and or Mercurial, then after updating Sourcetree you should update the embedded version. To update the embedded version of Git select "Options" from the "Tools" menu, then click on the Git tab and then click on the 'Update Embedded Git' button. To update the embedded version of Mercurial select "Options" from the "Tools" menu, then click on the Mercurial tab and then click on the 'Update Embedded Mercurial' button. If you are using the system provided Git and or Mercurial please ensure that you keep the system version up to date. For a full description of the latest version of Sourcetree, see the release notes for macOS and Windows. You can download the latest versions of Sourcetree from the Sourcetree website (https://www.sourcetreeapp.com/). Support: Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to https://community.atlassian.com/t5/SourceTree/ct-p/sourcetree . -----BEGIN PGP SIGNATURE----- iQI0BAEBCgAeBQJacnTRFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 UnagRVMP+wYbUmsqAjbFuK3vbZRcjwaoo/FknLQIWnEvaMNJZGF0T+g3u0tLISEP DhHHbccmQETaLEK3Cb6XgCLrKP+bBXPywTb1eryP1hkLTf+kMwuD80cYKwHI3c2t vP3eUiCsj6UKnnDJqY3Io3Bt+y/zO0Eh6llOmPK+uFgH9LHjVXLGRkgnFwbsMZq2 J1/Q8Z7SaOA7E6GTuVIMKuZ2phgvsMCPqEymmgWNH8CYFAjfnFDNwyYDnA2YWdzk 53uXj0OKcdZh47frRPdaEX+nB7T51fHXBSfRpePNFs8lfjMFXX+P96JK6sKXK4mo rZ5hkokxPOFzlCZfRONxniVviQ2LnvbpfIire2JldJE8bksmleaQH4QfptfKA1/6 6ty0R0SKnxHalRyxTbf1YLxpjNyJbnYy9ljQ/hETdDGwqN+XDV2600bWsLoxO5Yi sXBK5cvDWeXfcEyjpEBDpFlIZZIAJ1r2qZKSycJlQhhQrNRaKRm+ckQmjnhM6zaK GecIcL12MeeGt5ktzWBLxGxA1848MnhuSonHkGAycQ5tPDnPJ4aeyfGn5oJa0Cgx AAxj8t/1T5ww5iC2amGtCIpAFESyUdqS4ST0FFixs9zD+xxCXh1o/V1gq6y+ufcX y76oHGRSID6agxF+cTXmYoa2OdC9By8nzsOc/Gd4xKz40hTDeTlk =6DwX -----END PGP SIGNATURE-----