CVE-2014-9390

Published: 19 December 2014

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
git
Launchpad, Ubuntu, Debian
Upstream
Released (1:2.1.4-2)
Ubuntu 21.04 (Hirsute Hippo)
Released (1:2.1.4-2)
Ubuntu 20.10 (Groovy Gorilla)
Released (1:2.1.4-2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:2.1.4-2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:2.1.4-2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:2.1.4-2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:1.9.1-1ubuntu0.1])
Patches:
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=4616918013bf4fb3ce61175702d963a1fdd87f84
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=96b50cc19003d54f5962d65597c94e2c52eb22e7
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=cc2fc7c2f07c4a2aba5a653137ac9b489e05df43
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=450870cba7a9bac94b5527021800bd8bf037c99c
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=76e86fc6e3523d28e8db00e7b10c33c553d996b8
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=6162a1d323d24fd8cbbb1a6145a91fb849b2568f
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=a42643aa8d88a2278acad2da6bc702e426476e9b
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=a18fcc9ff22b714e7df30c400c05542f52830eb0
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=1d1d69bc52dcc7def5b2edbd165cc0a4e3911c8e
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=2b4c6efc82119ba8f4169717473d95d1a89e4c69
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=d08c13b947335cc48ecc1a8453d97b7147c2d6d6
Upstream: https://git.kernel.org/cgit/git/git.git/commit/?id=6aaf956b08cfab2dcaa1a1afe4192390d0ef14fd
git-core
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

jgit
Launchpad, Ubuntu, Debian
Upstream
Released (3.7.0-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.7.1-2)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.7.1-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.7.1-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.7.1-2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(3.7.1-2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
libgit2
Launchpad, Ubuntu, Debian
Upstream
Released (0.21.1-3)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(0.24.1-2)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(0.24.1-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(0.24.1-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.24.1-2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(0.24.1-2)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

mercurial
Launchpad, Ubuntu, Debian
Upstream
Released (3.1.2-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(3.1.2-2)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(3.1.2-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(3.1.2-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.1.2-2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(3.1.2-2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.8.2-1ubuntu1.3)
Patches:
Upstream: http://selenic.com/repo/hg-stable/rev/035434b407be (pt0)
Upstream: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 (pt1)
Upstream: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e (pt2)
Upstream: http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e (pt3)
Upstream: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a (pt4)

Notes

AuthorNote
kees
This CVE is about the git VCS. The "git" from hardy and earlier is
not what was "git-core".
jdstrand
Maverick and later renamed 'git-core' to 'git', so 'git' in these
releases does refer to git VCS.
initially marked 'low' since default filesystems on Ubuntu are
case-sensitive, however file servers serving these reopositories to clients
need to be patched, so upping to medium
tyhicks
git upstream fixed a minor regression in the HFS+ .git filtering with
commit 6aaf956b

References

Bugs