Dulwich is vulnerable to arbitrary command execution. When using the SSH subprocess, an attacker can use an ssh URL with the -
dash character in the hostname.This is related to CVE-2017-9800
, CVE-2017-12836
, CVE-2017-12976
, CVE-2017-1000116
, and CVE-2017-1000117
.