CVE-2014-9390

NameCVE-2014-9390
DescriptionGit before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-237-1
Debian Bugs773640, 774048, 774050

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dulwich (PTS)buster0.19.11-2fixed
bullseye0.20.15-1fixed
bookworm0.21.2-1fixed
sid, trixie0.21.6-1fixed
git (PTS)buster1:2.20.1-2+deb10u3fixed
buster (security)1:2.20.1-2+deb10u8fixed
bullseye (security), bullseye1:2.30.2-1+deb11u2fixed
bookworm1:2.39.2-1.1fixed
sid, trixie1:2.43.0-1fixed
jgit (PTS)buster3.7.1-6fixed
bullseye4.11.9-1fixed
bookworm, sid, trixie4.11.9-2fixed
libgit2 (PTS)buster0.27.7+dfsg.1-0.2fixed
buster (security)0.27.7+dfsg.1-0.2+deb10u1fixed
bullseye1.1.0+dfsg.1-4+deb11u1fixed
bullseye (security)1.1.0+dfsg.1-4+deb11u2fixed
bookworm1.5.1+ds-1fixed
bookworm (security)1.5.1+ds-1+deb12u1fixed
sid, trixie1.7.2+ds-1fixed
mercurial (PTS)buster4.8.2-1+deb10u1fixed
bullseye5.6.1-4fixed
bookworm6.3.2-1fixed
sid, trixie6.6.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dulwichsource(unstable)0.10.1-1
gitsource(unstable)1:2.1.4-1
jgitsource(unstable)3.7.0-1774050
libgit2sourcejessie0.21.1-3
libgit2source(unstable)0.21.3-1774048
mercurialsourcesqueeze1.6.4-1+deb6u1DLA-237-1
mercurialsourcewheezy2.2.2-4
mercurialsource(unstable)3.1.2-2773640

Notes

[wheezy] - git <no-dsa> (Minor issue)
[squeeze] - git <no-dsa> (Minor issue)
[jessie] - jgit <no-dsa> (Minor issue)
[wheezy] - jgit <no-dsa> (Minor issue)
[squeeze] - mercurial <no-dsa> (Minor issue)
[jessie] - dulwich <no-dsa> (Minor issue)
[wheezy] - dulwich <no-dsa> (Minor issue)
[squeeze] - dulwich <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems