CVE-2014-9390

NameCVE-2014-9390
DescriptionGit before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-237-1
NVD severityhigh
Debian Bugs773640, 774048, 774050

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dulwich (PTS)stretch0.16.3-1fixed
buster0.19.11-2fixed
bullseye0.20.2-1fixed
sid0.20.6-1fixed
git (PTS)stretch (security), stretch1:2.11.0-3+deb9u7fixed
buster, buster (security)1:2.20.1-2+deb10u3fixed
bullseye, sid1:2.28.0-1fixed
jgit (PTS)stretch3.7.1-4fixed
bullseye, sid, buster3.7.1-6fixed
libgit2 (PTS)stretch0.25.1+really0.24.6-1fixed
buster0.27.7+dfsg.1-0.2fixed
bullseye, sid0.28.5+dfsg.1-1fixed
mercurial (PTS)stretch4.0-1+deb9u1fixed
stretch (security)4.0-1+deb9u2fixed
buster4.8.2-1+deb10u1fixed
bullseye, sid5.5.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dulwichsource(unstable)0.10.1-1
gitsource(unstable)1:2.1.4-1
jgitsource(unstable)3.7.0-1774050
libgit2sourcejessie0.21.1-3
libgit2source(unstable)0.21.3-1774048
mercurialsourcesqueeze1.6.4-1+deb6u1DLA-237-1
mercurialsourcewheezy2.2.2-4
mercurialsource(unstable)3.1.2-2773640

Notes

[wheezy] - git <no-dsa> (Minor issue)
[squeeze] - git <no-dsa> (Minor issue)
[jessie] - jgit <no-dsa> (Minor issue)
[wheezy] - jgit <no-dsa> (Minor issue)
[squeeze] - mercurial <no-dsa> (Minor issue)
[jessie] - dulwich <no-dsa> (Minor issue)
[wheezy] - dulwich <no-dsa> (Minor issue)
[squeeze] - dulwich <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems