Your submission was sent successfully! Close

CVE-2014-9706

Published: 31 March 2015

The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.

Priority

Medium

Status

Package Release Status
dulwich
Launchpad, Ubuntu, Debian
Upstream
Released (0.9.9)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.10.1-1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(0.10.1-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Upstream: https://git.samba.org/?p=jelmer/dulwich.git;a=commitdiff;h=091638be3c89f46f42c3b1d57dc1504af5729176