PublicDateAtUSN: 2014-12-19 Candidate: CVE-2014-9390 PublicDate: 2020-02-12 02:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29 http://article.gmane.org/gmane.linux.kernel/1853266 https://developer.atlassian.com/blog/2014/12/securing-your-git-server/ https://ubuntu.com/security/notices/USN-2470-1 Description: Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Ubuntu-Description: Notes: kees> This CVE is about the git VCS. The "git" from hardy and earlier is not what was "git-core". jdstrand> Maverick and later renamed 'git-core' to 'git', so 'git' in these releases does refer to git VCS. jdstrand> initially marked 'low' since default filesystems on Ubuntu are case-sensitive, however file servers serving these reopositories to clients need to be patched, so upping to medium tyhicks> git upstream fixed a minor regression in the HFS+ .git filtering with commit 6aaf956b Bugs: https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035 Priority: medium Discovered-by: Matt Mackall and Augie Fackler Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL] Patches_git-core: upstream_git-core: needs-triage lucid_git-core: ignored (reached end-of-life) precise_git-core: DNE precise/esm_git-core: DNE trusty_git-core: DNE trusty/esm_git-core: DNE utopic_git-core: DNE vivid_git-core: DNE vivid/stable-phone-overlay_git-core: DNE vivid/ubuntu-core_git-core: DNE wily_git-core: DNE xenial_git-core: DNE yakkety_git-core: DNE zesty_git-core: DNE artful_git-core: DNE bionic_git-core: DNE cosmic_git-core: DNE disco_git-core: DNE eoan_git-core: DNE focal_git-core: DNE groovy_git-core: DNE hirsute_git-core: DNE impish_git-core: DNE jammy_git-core: DNE devel_git-core: DNE Patches_git: upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=4616918013bf4fb3ce61175702d963a1fdd87f84 upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=96b50cc19003d54f5962d65597c94e2c52eb22e7 upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=cc2fc7c2f07c4a2aba5a653137ac9b489e05df43 upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=450870cba7a9bac94b5527021800bd8bf037c99c upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=76e86fc6e3523d28e8db00e7b10c33c553d996b8 upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=6162a1d323d24fd8cbbb1a6145a91fb849b2568f upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=a42643aa8d88a2278acad2da6bc702e426476e9b upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=a18fcc9ff22b714e7df30c400c05542f52830eb0 upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=1d1d69bc52dcc7def5b2edbd165cc0a4e3911c8e upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=2b4c6efc82119ba8f4169717473d95d1a89e4c69 upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=d08c13b947335cc48ecc1a8453d97b7147c2d6d6 upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=6aaf956b08cfab2dcaa1a1afe4192390d0ef14fd upstream_git: released (1:2.1.4-2) lucid_git: DNE precise_git: released (1:1.7.9.5-1ubuntu0.1) precise/esm_git: DNE (precise was released [1:1.7.9.5-1ubuntu0.1]) trusty_git: released (1:1.9.1-1ubuntu0.1) trusty/esm_git: DNE (trusty was released [1:1.9.1-1ubuntu0.1]) utopic_git: released (1:2.1.0-1ubuntu0.1) vivid_git: released (1:2.1.4-2) vivid/stable-phone-overlay_git: DNE vivid/ubuntu-core_git: DNE wily_git: released (1:2.1.4-2) xenial_git: released (1:2.1.4-2) esm-infra/xenial_git: released (1:2.1.4-2) yakkety_git: released (1:2.1.4-2) zesty_git: released (1:2.1.4-2) artful_git: released (1:2.1.4-2) bionic_git: released (1:2.1.4-2) cosmic_git: released (1:2.1.4-2) disco_git: released (1:2.1.4-2) eoan_git: released (1:2.1.4-2) focal_git: released (1:2.1.4-2) groovy_git: released (1:2.1.4-2) hirsute_git: released (1:2.1.4-2) impish_git: released (1:2.1.4-2) jammy_git: released (1:2.1.4-2) devel_git: released (1:2.1.4-2) Patches_libgit2: upstream_libgit2: released (0.21.1-3) lucid_libgit2: DNE precise_libgit2: DNE precise/esm_libgit2: DNE trusty_libgit2: ignored (out of standard support) trusty/esm_libgit2: needed utopic_libgit2: ignored (reached end-of-life) vivid_libgit2: ignored (reached end-of-life) vivid/stable-phone-overlay_libgit2: DNE vivid/ubuntu-core_libgit2: DNE wily_libgit2: ignored (reached end-of-life) xenial_libgit2: not-affected (0.24.1-2) yakkety_libgit2: ignored (reached end-of-life) zesty_libgit2: ignored (reached end-of-life) artful_libgit2: ignored (reached end-of-life) bionic_libgit2: not-affected (0.24.1-2) cosmic_libgit2: not-affected (0.24.1-2) disco_libgit2: not-affected (0.24.1-2) eoan_libgit2: not-affected (0.24.1-2) focal_libgit2: not-affected (0.24.1-2) groovy_libgit2: not-affected (0.24.1-2) hirsute_libgit2: not-affected (0.24.1-2) impish_libgit2: not-affected (0.24.1-2) jammy_libgit2: not-affected (0.24.1-2) devel_libgit2: not-affected (0.24.1-2) Patches_mercurial: upstream: http://selenic.com/repo/hg-stable/rev/035434b407be (pt0) upstream: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 (pt1) upstream: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e (pt2) upstream: http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e (pt3) upstream: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a (pt4) upstream_mercurial: released (3.1.2-2) lucid_mercurial: ignored (reached end-of-life) precise_mercurial: released (2.0.2-1ubuntu1.2) precise/esm_mercurial: DNE (precise was released [2.0.2-1ubuntu1.2]) trusty_mercurial: released (2.8.2-1ubuntu1.3) trusty/esm_mercurial: released (2.8.2-1ubuntu1.3) utopic_mercurial: released (3.1.1-1ubuntu0.2) vivid_mercurial: not-affected (3.1.2-2) vivid/stable-phone-overlay_mercurial: DNE vivid/ubuntu-core_mercurial: DNE wily_mercurial: not-affected (3.1.2-2) xenial_mercurial: not-affected (3.1.2-2) yakkety_mercurial: not-affected (3.1.2-2) zesty_mercurial: not-affected (3.1.2-2) artful_mercurial: not-affected (3.1.2-2) bionic_mercurial: not-affected (3.1.2-2) cosmic_mercurial: not-affected (3.1.2-2) disco_mercurial: not-affected (3.1.2-2) eoan_mercurial: not-affected (3.1.2-2) focal_mercurial: not-affected (3.1.2-2) groovy_mercurial: not-affected (3.1.2-2) hirsute_mercurial: not-affected (3.1.2-2) impish_mercurial: not-affected (3.1.2-2) jammy_mercurial: not-affected (3.1.2-2) devel_mercurial: not-affected (3.1.2-2) Patches_jgit: upstream_jgit: released (3.7.0-1) lucid_jgit: DNE precise_jgit: DNE precise/esm_jgit: DNE trusty_jgit: ignored (reached end-of-life) trusty/esm_jgit: DNE (trusty was needed) utopic_jgit: ignored (reached end-of-life) vivid_jgit: ignored (reached end-of-life) vivid/stable-phone-overlay_jgit: DNE vivid/ubuntu-core_jgit: DNE wily_jgit: ignored (reached end-of-life) xenial_jgit: not-affected (3.7.1-2) yakkety_jgit: ignored (reached end-of-life) zesty_jgit: ignored (reached end-of-life) artful_jgit: ignored (reached end-of-life) bionic_jgit: not-affected (3.7.1-2) cosmic_jgit: not-affected (3.7.1-2) disco_jgit: not-affected (3.7.1-2) eoan_jgit: not-affected (3.7.1-2) focal_jgit: not-affected (3.7.1-2) groovy_jgit: not-affected (3.7.1-2) hirsute_jgit: not-affected (3.7.1-2) impish_jgit: not-affected (3.7.1-2) jammy_jgit: not-affected (3.7.1-2) devel_jgit: not-affected (3.7.1-2)