CVE-2017-15298

Published: 14 October 2017

Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.

Priority

Low

CVSS 3 base score: 5.5

Status

Package Release Status
git
Launchpad, Ubuntu, Debian
Upstream
Released (2.16.0)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:2.17.0-1ubuntu1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:2.7.4-0ubuntu1.6)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:1.9.1-1ubuntu0.10])
Patches:
Upstream: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a937b37e76