Just installing v2.0.20.1 DOES NOT seem to fix CVE-2017-8768

Richard Taylor May 11, 2017

Issue:

Per https://nvd.nist.gov/vuln/detail/CVE-2017-8768 the vulnerability is in the custom URL command handler.

I had 1.9.13 installed (on Windows 10), and then installed 2.0.20.1.

Installing 2.0.20.1:

  • DOES NOT uninstall v1.9.x
  • DOES NOT remove or change the registry entry that defines the command handler (HKEY_CLASSES_ROOT\sourcetree)

So the dangerous custom url handler still runs, and still loads the vulnerable v1.9.x despite the installation of v2.0.20.1.  

Unless you manually uninstall 1.x, it seems that this vulnerability still exists!

I hope this is just something unusual with my setup, but I've tried un-installing and re-installing 2.20.0.1 and the same issue persists,

The security warning email and page say:

"Customers who have upgraded to SourceTree for Mac version 2.5.1 or SourceTree for Windows version 2.0.20.1 are not affected."

This does not appear to be true. To be true it would need to add "and have manually uninstalled all 1.x".

Comments

Some comments on the limited attempts made to notify the user:

  1. starting the very latest 1.19.x says "this is not supported".
    • "Not supported" does not mean "is vulnerable and must be uninstalled"!. This warning needs to be much stronger!
    • This version updated with this message should have removed the command handler registry entry to at least reduce the risk
  2. starting 2.0.20.1 says "these old versions were found and it's recommened they be uninstalled"
    • Again, no mention of critical vulnerabilities. This should be much stronger!
    • Even if 2.0.20.x can't uninstall the old versions automatically, it can at least delete or overwrite the registry entry that defines the command handler.

Test Case

To test this for yourself:

1. Create a new html file with contents such as:

<html>
<head>
</head>
<body>
  <a href="sourcetree://vulnerability">Is this still vulnerable</a>
</body>
</html>

2. Open the html file in a browser and click the link. If SourceTree 1.9.x opens you are likely still vulnerable

Postscript

I realise SourceTree is free and you are presumably under lots of pressure over the last few days, so I do want to say thanks for the hard work and I hope these issues can be resolved quickly.

I don't believe anything in this discusses security issues that are not already in the public domain (or trivially related to it).  If you disagree, please feel free to remove this comment and point me at your security contact.

1 comment

Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 11, 2017

Hi Richard - this is a community forum used (mostly) by users like you and me to share knowledge, tips and ask and answer questions.

Atlassian do read and post on here, but it's not a formal way to give feedback, raise bugs or request support.

If you want to contact Atlassian directly with a bug report like this, the best way is via a support ticket at https://support.atlassian.com/contact/

That'll get a bug raised on jira.atlassian.com.

In the meantime, I will see if I can bring this to the attention of someone from Atlassian.

Richard Taylor May 11, 2017

Thanks for taking this up Sam,

I have had response to other comments on here so I didn't realise there was somewhere else for more directly entering bugs.  I'll go and add this bug via the link you recommend.

If you have contacts with Atlassian, its probably worth suggesting that they make the location for adding bug reports more clear; both in this section, and in the emails launching this community section.  e.g. the email I received 3 days ago said:

"Get product support via the Q&A forum" (their bold)

so I hope I can be forgiven for posting in the wrong place!

That said, I do think it also has a place here as I feel it is important for other users to know the potential ongoing risk and how to protect themselves.

Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 11, 2017

No problem. It seems worth flagging up.

For what it's worth, I think Atlassian would rather people came here first with most product related questions.

It's deliberately promoted as the first stop for users, partly because it filters out a lot of the trivial stuff before it goes to their support team (not that I am saying this is trivial!).

After all, me replying to you here is not costing them any money : )

Plus, there are some serious experts who post here with tons of experience in using Atlassian's products. 

I agree that they could make the route to raise a bug more obvious. In general, there's quite a an array or resources and contact points available, so I'm never surprised when it is not clear.

I hope this new community is the first step toward improving that stuff. That's partly why I put the effort in here to help.

Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 11, 2017

Oh - also. This is the original bug on CVE-2017-8768, if you didn't look though already: https://jira.atlassian.com/browse/SRCTREEWIN-7161

Could be worth a comment on there.

chhabs
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 11, 2017

Hi Richard, thanks for writing in and for the feedback. You're correct, manually removing older versions is required to close the security gap. We'll update our documents accordingly. Thank you for your thoughtful comments and proactive support.

-Rahul

Product Manager | SourceTree

PS. I'll comment on the support ticket as well. 

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events