[Bug 1404035] Re: Errors in handling case-sensitive directories allow for remote code execution on pull
Launchpad Bug Tracker
1404035 at bugs.launchpad.net
Tue Jan 13 23:27:08 UTC 2015
This bug was fixed in the package git - 1:2.1.0-1ubuntu0.1
---------------
git (1:2.1.0-1ubuntu0.1) utopic-security; urgency=medium
* SECURITY UPDATE: Add protections against malicious git commits that
overwrite git metadata on HFS+ and NTFS filesystems. Some of the
protections are enabled by default but the majority require git config
options to be enabled. Set the core.protectHFS and/or core.protectNTFS git
config variables to "true" if you use HFS+ and/or NTFS filesystems when
pulling from untrusted git trees. Set the core.protectHFS,
core.protectNTFS, and receive.fsckObjects git config variables to "true"
if you host git trees and want to prevent malicious git commits from being
pushed to your server. (LP: #1404035)
- debian/diff/0009-CVE-2014-9390.diff: Check for potentially malicious
paths in git commits. Based on upstream patches.
- debian/rules: Set executable bit on a new test introduced in
0009-CVE-2014-9390.diff
- CVE-2014-9390
-- Tyler Hicks <tyhicks at canonical.com> Tue, 13 Jan 2015 12:42:16 -0600
** Changed in: git (Ubuntu Utopic)
Status: In Progress => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9390
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1404035
Title:
Errors in handling case-sensitive directories allow for remote code
execution on pull
Status in git package in Ubuntu:
In Progress
Status in libgit2 package in Ubuntu:
Confirmed
Status in mercurial package in Ubuntu:
Fix Released
Status in git source package in Precise:
Fix Released
Status in mercurial source package in Precise:
In Progress
Status in git source package in Trusty:
Fix Released
Status in libgit2 source package in Trusty:
Confirmed
Status in mercurial source package in Trusty:
In Progress
Status in git source package in Utopic:
Fix Released
Status in libgit2 source package in Utopic:
Confirmed
Status in mercurial source package in Utopic:
In Progress
Status in git source package in Vivid:
In Progress
Status in libgit2 source package in Vivid:
Confirmed
Status in mercurial source package in Vivid:
Fix Released
Bug description:
From the upstream announcement[1]:
This is a security-fix for CVE-2014-9390, which affects users on
Windows and Mac OS X but not typical UNIX users. A set of new
releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
v2.1.4) are published at the same time and they contain the same fix.
Various implementations and ports, including Git for Windows, Git OS
X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
have been updated at the same time.
Even though the issue may not affect Linux users, if you are a
hosting service whose users may fetch from your service to Windows
or Mac OS X machines, you are strongly encouraged to update to
protect such users who use existing versions of Git.
This issue also affects hg[2].
[1]: http://article.gmane.org/gmane.linux.kernel/1853266
[2]: http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035/+subscriptions
More information about the foundations-bugs
mailing list