Critical severity9.8NVD Advisory· Published Oct 29, 2017· Updated May 13, 2026
CVE-2017-16228
CVE-2017-16228
Description
Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dulwichPyPI | < 0.18.5 | 0.18.5 |
Affected products
1Patches
17116a0cbbda5Prevent setting SSH arguments in SSH URLs when using subprocess SSH client.
3 files changed · +23 −0
dulwich/client.py+9 −0 modified@@ -1080,6 +1080,13 @@ def run_command(self, host, command, username=None, port=None): raise NotImplementedError(self.run_command) +class StrangeHostname(Exception): + """Refusing to connect to strange SSH hostname.""" + + def __init__(self, hostname): + super(StrangeHostname, self).__init__(hostname) + + class SubprocessSSHVendor(SSHVendor): """SSH vendor that shells out to the local 'ssh' command.""" @@ -1090,6 +1097,8 @@ def run_command(self, host, command, username=None, port=None): args.extend(['-p', str(port)]) if username is not None: host = '%s@%s' % (username, host) + if host.startswith('-'): + raise StrangeHostname(hostname=host) args.append(host) proc = subprocess.Popen(args + [command], bufsize=0, stdin=subprocess.PIPE,
dulwich/tests/test_client.py+10 −0 modified@@ -50,6 +50,8 @@ HttpGitClient, ReportStatusParser, SendPackError, + StrangeHostname, + SubprocessSSHVendor, UpdateRefsError, default_urllib2_opener, get_transport_and_path, @@ -942,3 +944,11 @@ def test_config_proxy(self): opener = default_urllib2_opener(config=config) self.assertIn(urllib2.ProxyHandler, list(map(lambda x: x.__class__, opener.handlers))) + + +class SubprocessSSHVendorTests(TestCase): + + def test_run_command_dashes(self): + vendor = SubprocessSSHVendor() + self.assertRaises(StrangeHostname, vendor.run_command, '--weird-host', + 'git-clone-url')
NEWS+4 −0 modified@@ -7,6 +7,10 @@ * Fix setting of origin in config when non-standard origin is passed into ``Repo.clone``. (Kenneth Lareau, #565) + * Prevent setting SSH arguments from SSH URLs when using SSH through a + subprocess. Note that Dulwich doesn't support cloning submodules. + (CVE 2017-1000117) (Jelmer Vernooij) + IMPROVEMENTS * Silently ignored directories in ``Repo.stage``.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/nvdIssue TrackingPatchVendor Advisory
- github.com/advisories/GHSA-cwwh-4382-6fwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16228ghsaADVISORY
- tracker.debian.org/news/882440nvdIssue TrackingThird Party AdvisoryWEB
- www.dulwich.io/code/dulwich/nvdProductVendor Advisory
- github.com/jelmer/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/dulwich/PYSEC-2017-12.yamlghsaWEB
- web.archive.org/web/20201220231743/https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6ghsaWEB
- web.archive.org/web/20210128154006/https://www.dulwich.io/code/dulwichghsaWEB
- www.dulwich.io/code/dulwichghsaWEB
- www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6ghsaWEB
News mentions
0No linked articles in our index yet.