Operating System:

[WIN][MAC]

Published:

22 March 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.0956 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0956
                      March 2019 Sourcetree Advisory
                               22 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Atlassian Sourcetree
Publisher:         Atlassian
Operating System:  Mac OS
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-20236 CVE-2018-20235 CVE-2018-20234
                   CVE-2018-17456  

Original Bulletin: 
   https://confluence.atlassian.com/sourcetreekb/sourcetree-security-advisory-2019-03-06-966678691.html

- --------------------------BEGIN INCLUDED TEXT--------------------

March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities

      Summary        March 2019 Sourcetree Advisory - Multiple Remote Code
                     Execution Vulnerabilities

  Advisory Release   06 Mar 2019 10:00 AM PDT (Pacific Time, -7 hours)
        Date

       Products        o Sourcetree for macOS
  
                       o Sourcetree for Windows

                       
 Affected Sourcetree   o Sourcetree for macOS 1.2 <= version < 3.1.1
      Versions
                       o Sourcetree for Windows 0.5a <= version < 3.0.17

                       

  Fixed Sourcetree     o Sourcetree for macOS version 3.1.1 and higher.
      Versions
                       o Sourcetree for Windows version 3.0.17 and higher.


                       o CVE-2018-20234

                       o CVE-2018-20235
     CVE ID(s)
                       o CVE-2018-17456

                       o CVE-2018-20236


Summary of Vulnerabilities

This advisory discloses three critical severity security vulnerabilities in
Sourcetree for macOS and Sourcetree for Windows.

Versions of Sourcetree for macOS starting with 1.2 before 3.1.1, and versions
of Sourcetree for Windows starting with 0.5a before 3.0.17 are affected by one
or more of these vulnerabilities.

Customers who have upgraded to Sourcetree for macOS version 3.1.1 or Sourcetree
for Windows version 3.0.17 are not affected.

Customers who have downloaded and installed Sourcetree for macOS before version
3.1.1 or Sourcetree for Windows before version 3.0.17 are affected.

Please upgrade your Sourcetree installations immediately to fix this
vulnerability.

Mercurial hooks vulnerability - CVE-2018-20234 and CVE-2018-20235

Severity

Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate how it applies to your own IT
environment.

Description

Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before
version 3.0.15 were vulnerable to CVE-2018-20234 and CVE-2018-20235
respectively. A remote attacker with permission to commit to a Mercurial
repository linked in Sourcetree for macOS or Windows is able to exploit this
issue to gain code execution on the system.

Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are
affected by this vulnerability. This issue can be tracked here:

SRCTREE-6391 - Argument Injection via Mercurial hooks in Sourcetree
for macOS - CVE-2018-20234 CLOSED

Versions of Sourcetree for Windows starting with 0.5a before version 3.0.15 are
affected by this vulnerability. This issue can be tracked here:

SRCTREEWIN-11289 - Argument Injection via Mercurial hooks in
Sourcetree for Windows - CVE-2018-20235 CLOSED

Acknowledgements

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

Fix

We have taken the following steps to address this issue:

 1. Released Sourcetree for Windows version 3.0.15 that contains a fix for this
    issue.

 2. Released Sourcetree for macOS version 3.1.1 that contains a fix for this
    issue.

Git submodules vulnerability - CVE-2018-17456

Severity

Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate how it applies to your own IT
environment.

Description

Sourcetree for macOS before version 3.1.1 and Sourcetree for Windows before
version 3.0.17 were both vulnerable to CVE-2018-17456. A remote attacker with
permission to commit to a git repository linked in Sourcetree for macOS or
Windows is able to exploit this issue to gain code execution on the system.

Versions of Sourcetree for macOS starting with 1.2 before version 3.1.1 are
affected by this vulnerability. This issue can be tracked here:

[viewavatar]SRCTREE-6394 - Input validation vulnerability via Git in Sourcetree
for Mac - CVE-2018-17456CLOSEDVersions of Sourcetree for Windows starting with
0.5a before version 3.0.17 are affected by this vulnerability. This issue can
be tracked here:

[viewavatar]SRCTREEWIN-11292 - Input validation vulnerability via Git in
Sourcetree for Windows - CVE-2018-17456 CLOSED

Acknowledgements

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

Fix

We have taken the following steps to address this issue:

 1. Released Sourcetree for macOS version 3.1.1 that contains a fix for this
    issue.

 2. Released Sourcetree for Windows version 3.0.17 that contains a fix for this
    issue.

URI handling vulnerability - CVE-2018-20236

Severity

Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate how it applies to your own IT
environment.

Description

Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236.
A remote attacker able to send a URI to a Sourcetree for Windows user is able
to exploit this issue to gain code execution on the system.

Versions of Sourcetree for Windows starting with 0.5a before version 3.0.10 are
affected by this vulnerability. This issue can be tracked here:

[viewavatar]SRCTREEWIN-11291 - Command Injection via URI handling in Sourcetree
for Windows - CVE-2018-20236 CLOSED

Acknowledgements

Credit for finding this vulnerability goes to Terry Zhang (pnig0s) at Tophant.

Fix

We have taken the following steps to address this issue:

 1. Released Sourcetree for Windows version 3.0.10 that contains a fix for this
    issue.

What You Need to Do

Upgrade Sourcetree for Windows to version 3.0.17 or higher.

Upgrade Sourcetree for macOS to version 3.1.1 or higher.

Atlassian recommends that you upgrade to the latest version. For a full
description of the latest version of Sourcetree for macOS, see the release
notes. For a full description of the latest version of Sourcetree for Windows, 
see the release notes. You can download the latest version of Sourcetree from
the Sourcetree website.

Support

If you did not receive an email for this advisory and you wish to receive such
emails in the future go to https://my.atlassian.com/email and subscribe to
Alerts emails.

If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.

References

Security      Our SLAs and guarantees for bugfixes.
Bugfix Policy

Severity      Atlassian security advisories include a severity level and a CVE
Levels for    identifier. This severity level is based on our self-calculated
security      CVSS score for each specific vulnerability. CVSS is an industry
issues        standard vulnerability metric. You can also learn more about CVSS
              at FIRST.org.

End of Life   Our end of life policy varies for different products. Please
Policy        refer to the policy for details.

Last modified on Mar 6, 2019

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXJRnhGaOgq3Tt24GAQhBhw/9HlFgyDEv78tfgF+mZfQ+o8siylqQUANl
GL5fTrriiBXEN01IU9HglqrffEc/ZWCBqOgNSvcUOB84ivFtIScwZKAEK+LiDB3k
YBwpV3bGVofUO7PO2hZv5EK/XOUmyeqYVH2EO821+9Fep/RTWPjP9IWQAv5m7Hr/
Ot98fvRL9i5CfE0RNyxd5r5aJuTvCjOGE8c0YAMO+xUamqz7wfNCzm5UoTKflf5K
wmyy9WwZeAc3qxdAOzp4y7zSfFEWiJT2AVZo9QLv6dzSu5IZV/8MlVvUm4fIxPIn
I6IkM6Q68tauL4CdMLZt7eX5mryYZOrvbO7CcoPNErJKPx1Yz5eVDuX1wjGqFbx6
xtTyLeYsq/U+DKPPIGe0o5C1uNycklH6VSXp+icRkBtjJhj3NLzPs0vuT/JaHeqp
WoqwDCz7v9kquwIdgROWFlqtsa28PWa8Eq2njOOrvt9t+ko5MPslrGDRV4DxpI0H
jKKmnSLNFoZxNl4c+nUFfwB3g28TAz9DfWVnyu+z35tV5+Dky0FTeTcNgmwithTG
BAVimpCna335eWB6qfgIhyX+JVTKh6QAoSe8pysUHlTqGFBfx+KH4K71zo6P+O53
gqqcWdxCLycfmIAERoxKbFilEOHznY0gtrQf0+qlD7XuBYU3YlpWYDqljbZKKexU
Vg9gDcfoCc0=
=RWWx
-----END PGP SIGNATURE-----