CVE-2014-9938

Priority
Medium
Description
contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize
branch names in the PS1 variable, allowing a malicious repository to cause
code execution.
References
Bugs
Notes
 mdeslaur> PoC: https://github.com/njhartwell/pw3nage
 mdeslaur> only affects 1.8.1+
Assigned-to
mdeslaur
Package
Source: git (LP Ubuntu Debian)
Upstream:released (1:2.0.0~rc2-1)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (1:1.7.9.5-1ubuntu0.3)
Ubuntu 14.04 LTS (Trusty Tahr):released (1:1.9.1-1ubuntu0.4)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1:2.7.4-0ubuntu1)
Ubuntu 16.10 (Yakkety Yak):not-affected
Ubuntu 17.04 (Zesty Zapus):not-affected
Patches:
Upstream:https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f
More Information

Updated: 2017-03-23 13:14:32 UTC (commit 12288)