[Bug 1404035] Re: Errors in handling case-sensitive directories allow for remote code execution on pull

Launchpad Bug Tracker 1404035 at bugs.launchpad.net
Wed Jun 17 20:25:25 UTC 2015 

This bug was fixed in the package mercurial - 2.8.2-1ubuntu1.3

---------------
mercurial (2.8.2-1ubuntu1.3) trusty-security; urgency=medium

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix for improperly handling case-insensitive paths on
    Windows and OS X clients
    - http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
    - http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
    - http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
    - CVE-2014-9390
    - LP: #1404035

  [ Marc Deslauriers ]
  * SECURITY UPDATE: arbitrary command exection via crafted repository
    name in a clone command
    - d/p/from_upstream__sshpeer_more_thorough_shell_quoting.patch: add
      more thorough shell quoting to mercurial/sshpeer.py.
    - CVE-2014-9462
  * debian/patches/fix_ftbfs_patchbomb_test.patch: fix patchbomb test.

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Wed, 17 Jun 2015
10:51:42 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1404035

Title:
  Errors in handling case-sensitive directories allow for remote code
  execution on pull

Status in git package in Ubuntu:
  Fix Released
Status in jgit package in Ubuntu:
  Confirmed
Status in libgit2 package in Ubuntu:
  Confirmed
Status in mercurial package in Ubuntu:
  Fix Released
Status in git source package in Precise:
  Fix Released
Status in mercurial source package in Precise:
  Fix Released
Status in git source package in Trusty:
  Fix Released
Status in jgit source package in Trusty:
  Confirmed
Status in libgit2 source package in Trusty:
  Confirmed
Status in mercurial source package in Trusty:
  Fix Released
Status in git source package in Utopic:
  Fix Released
Status in jgit source package in Utopic:
  Confirmed
Status in libgit2 source package in Utopic:
  Confirmed
Status in mercurial source package in Utopic:
  Fix Released
Status in git source package in Vivid:
  Fix Released
Status in jgit source package in Vivid:
  Confirmed
Status in libgit2 source package in Vivid:
  Confirmed
Status in mercurial source package in Vivid:
  Fix Released

Bug description:
  From the upstream announcement[1]:

  
  This is a security-fix for CVE-2014-9390, which affects users on
  Windows and Mac OS X but not typical UNIX users.  A set of new
  releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
  v2.1.4) are published at the same time and they contain the same fix.
  Various implementations and ports, including Git for Windows, Git OS
  X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
  have been updated at the same time.

  Even though the issue may not affect Linux users, if you are a
  hosting service whose users may fetch from your service to Windows
  or Mac OS X machines, you are strongly encouraged to update to
  protect such users who use existing versions of Git.

  This issue also affects hg[2].

  [1]: http://article.gmane.org/gmane.linux.kernel/1853266
  [2]: http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035/+subscriptions

More information about the foundations-bugs mailing list