Errors in handling case-sensitive directories allow for remote code execution on pull

Bug #1404035 reported by Luke Faraone on 2014-12-18
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
git (Ubuntu)
Medium
Unassigned
Precise
Medium
Tyler Hicks
Trusty
Medium
Tyler Hicks
Utopic
Medium
Tyler Hicks
Vivid
Medium
Unassigned
jgit (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned
Vivid
Undecided
Unassigned
libgit2 (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned
Vivid
Undecided
Unassigned
mercurial (Ubuntu)
Medium
Unassigned
Precise
Medium
Jamie Strandboge
Trusty
Medium
Jamie Strandboge
Utopic
Medium
Jamie Strandboge
Vivid
Medium
Unassigned

Bug Description

From the upstream announcement[1]:

This is a security-fix for CVE-2014-9390, which affects users on
Windows and Mac OS X but not typical UNIX users. A set of new
releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
v2.1.4) are published at the same time and they contain the same fix.
Various implementations and ports, including Git for Windows, Git OS
X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
have been updated at the same time.

Even though the issue may not affect Linux users, if you are a
hosting service whose users may fetch from your service to Windows
or Mac OS X machines, you are strongly encouraged to update to
protect such users who use existing versions of Git.

This issue also affects hg[2].

[1]: http://article.gmane.org/gmane.linux.kernel/1853266
[2]: http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29

Luke Faraone (lfaraone) on 2014-12-18
Changed in git (Ubuntu):
importance: Undecided → High
information type: Public → Public Security
Changed in mercurial (Ubuntu):
importance: Undecided → High
Thomas Ward (teward) on 2014-12-19
Changed in git (Ubuntu):
status: New → Confirmed
Changed in mercurial (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

FYI, mercurial is in universe and is therefore community maintained. I took a look at it and have prepared packages in https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages. If someone could test them and verify they are ok, I can push them out as a security update.

Changed in mercurial (Ubuntu):
status: Confirmed → In Progress
Changed in mercurial (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in mercurial (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in mercurial (Ubuntu Utopic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in mercurial (Ubuntu Vivid):
importance: High → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in git (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in git (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in git (Ubuntu Utopic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in git (Ubuntu Vivid):
status: Confirmed → In Progress
importance: High → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Jamie Strandboge (jdstrand) wrote :

Note, the packages in the ppa have not been tested yet (14.04-15.04 do pass the testsuite though, 12.04 needs a manual test run), so take care.

Xavier L. (xav0989) on 2014-12-20
no longer affects: libgit2 (Ubuntu Precise)
Javi Merino (cibervicho) wrote :

Jamie, I see in the changelog that you have applied this patches:

    - http://selenic.com/repo/hg-stable/rev/035434b407be
    - http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
    - http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
    - http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e
    - http://selenic.com/repo/hg-stable/rev/6dad422ecc5a

Have you checked with upstream if those are the only patches needed? Based on the release notes and the commit log I think you are right, but it may be worth double-checking with upstream.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libgit2 (Ubuntu Trusty):
status: New → Confirmed
Changed in libgit2 (Ubuntu Utopic):
status: New → Confirmed
Changed in libgit2 (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

FYI, the 14.04 mercurial packages FTBFS due to an unrelated issue: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+build/6661971/+files/buildlog_ubuntu-trusty-amd64.mercurial_2.8.2-1ubuntu1.1_FAILEDTOBUILD.txt.gz. Specifically, the hghave tests are failing (and the fail with a no change rebuild too). If someone wanted to help debug that issue, that would be great. Thanks!

Javi Merino (cibervicho) wrote :

Jamie, the problem you have is that the patch you've backported passes "repo" as the first parameter to context.memfilectx() but in the mercurial version that you have, context.memfilectx() only receives the path and text. Just drop the "repo" argument in the tests as I've done for Debian Wheezy[0] and they will run.

[0] http://anonscm.debian.org/viewvc/python-apps/packages/mercurial/branches/wheezy/debian/patches/

This is not the best explanation ever, I'll send a patch later today.

Javi Merino (cibervicho) wrote :

Find the patch for the failing test-commit.t attached.

The attachment "fix test-commit.t for mercurial_2.8.2-1ubuntu1.1" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Jamie Strandboge (jdstrand) wrote :

Thanks Javi! I've applied these and are testing them locally. I'll upload to the ppa once finished.

Jamie Strandboge (jdstrand) wrote :

mercurial on 15.04 was fixed in 3.1.2-2.

Changed in mercurial (Ubuntu Vivid):
status: In Progress → Fix Released
assignee: Jamie Strandboge (jdstrand) → nobody
Jamie Strandboge (jdstrand) wrote :

Javi, alright, so I updated that test with your patch as mentioned (thanks) which I certainly would've needed to do anyway, but test-hghave.t.sh on 14.04 never finishes and FTBFS (and it does with unpatched mercurial too). I'm happy to look at this myself when I have more time, but do you have an idea why this is won't finish on 14.04, but does on other releases and Debian? Thanks

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:2.1.0-1ubuntu0.1

---------------
git (1:2.1.0-1ubuntu0.1) utopic-security; urgency=medium

  * SECURITY UPDATE: Add protections against malicious git commits that
    overwrite git metadata on HFS+ and NTFS filesystems. Some of the
    protections are enabled by default but the majority require git config
    options to be enabled. Set the core.protectHFS and/or core.protectNTFS git
    config variables to "true" if you use HFS+ and/or NTFS filesystems when
    pulling from untrusted git trees. Set the core.protectHFS,
    core.protectNTFS, and receive.fsckObjects git config variables to "true"
    if you host git trees and want to prevent malicious git commits from being
    pushed to your server. (LP: #1404035)
    - debian/diff/0009-CVE-2014-9390.diff: Check for potentially malicious
      paths in git commits. Based on upstream patches.
    - debian/rules: Set executable bit on a new test introduced in
      0009-CVE-2014-9390.diff
    - CVE-2014-9390
 -- Tyler Hicks <email address hidden> Tue, 13 Jan 2015 12:42:16 -0600

Changed in git (Ubuntu Utopic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:1.7.9.5-1ubuntu0.1

---------------
git (1:1.7.9.5-1ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: Add protections against malicious git commits that
    overwrite git metadata on HFS+ and NTFS filesystems. Some of the
    protections are enabled by default but the majority require git config
    options to be enabled. Set the core.protectHFS and/or core.protectNTFS git
    config variables to "true" if you use HFS+ and/or NTFS filesystems when
    pulling from untrusted git trees. Set the core.protectHFS,
    core.protectNTFS, and receive.fsckObjects git config variables to "true"
    if you host git trees and want to prevent malicious git commits from being
    pushed to your server. (LP: #1404035)
    - debian/diff/0015-CVE-2014-9390.diff: Check for potentially malicious
      paths in git commits. Based on upstream patches.
    - debian/rules: Set executable bit on a new test introduced in
      0015-CVE-2014-9390.diff
    - CVE-2014-9390
 -- Tyler Hicks <email address hidden> Tue, 13 Jan 2015 12:42:19 -0600

Changed in git (Ubuntu Precise):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package git - 1:1.9.1-1ubuntu0.1

---------------
git (1:1.9.1-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Add protections against malicious git commits that
    overwrite git metadata on HFS+ and NTFS filesystems. Some of the
    protections are enabled by default but the majority require git config
    options to be enabled. Set the core.protectHFS and/or core.protectNTFS git
    config variables to "true" if you use HFS+ and/or NTFS filesystems when
    pulling from untrusted git trees. Set the core.protectHFS,
    core.protectNTFS, and receive.fsckObjects git config variables to "true"
    if you host git trees and want to prevent malicious git commits from being
    pushed to your server. (LP: #1404035)
    - debian/diff/0010-CVE-2014-9390.diff: Check for potentially malicious
      paths in git commits. Based on upstream patches.
    - debian/rules: Set executable bit on a new test introduced in
      0010-CVE-2014-9390.diff
    - CVE-2014-9390
 -- Tyler Hicks <email address hidden> Tue, 13 Jan 2015 12:42:17 -0600

Changed in git (Ubuntu Trusty):
status: In Progress → Fix Released
Tyler Hicks (tyhicks) wrote :

Vivid's git was previously updated for CVE-2014-9390 by an auto sync of git 1:2.1.4-2 from Debian Sid.

Changed in git (Ubuntu Vivid):
assignee: Tyler Hicks (tyhicks) → nobody
status: In Progress → Fix Released
Changed in jgit (Ubuntu Trusty):
status: New → Confirmed
Changed in jgit (Ubuntu Utopic):
status: New → Confirmed
Changed in jgit (Ubuntu Vivid):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mercurial - 2.0.2-1ubuntu1.2

---------------
mercurial (2.0.2-1ubuntu1.2) precise-security; urgency=medium

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix for improperly handling case-insensitive paths on
    Windows and OS X clients
    - http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
    - http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
    - http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
    - CVE-2014-9390
    - LP: #1404035

  [ Marc Deslauriers ]
  * SECURITY UPDATE: arbitrary command exection via crafted repository
    name in a clone command
    - d/p/from_upstream__sshpeer_more_thorough_shell_quoting.patch: add
      more thorough shell quoting to mercurial/sshrepo.py.
    - CVE-2014-9462

 -- Marc Deslauriers <email address hidden> Wed, 17 Jun 2015 13:27:17 -0400

Changed in mercurial (Ubuntu Precise):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mercurial - 3.1.1-1ubuntu0.2

---------------
mercurial (3.1.1-1ubuntu0.2) utopic-security; urgency=medium

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix for improperly handling case-insensitive paths on
    Windows and OS X clients
    - http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
    - http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
    - http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
    - CVE-2014-9390
    - LP: #1404035

  [ Marc Deslauriers ]
  * SECURITY UPDATE: arbitrary command exection via crafted repository
    name in a clone command
    - d/p/from_upstream__sshpeer_more_thorough_shell_quoting.patch: add
      more thorough shell quoting to mercurial/sshpeer.py.
    - CVE-2014-9462

 -- Marc Deslauriers <email address hidden> Wed, 17 Jun 2015 13:09:05 -0400

Changed in mercurial (Ubuntu Utopic):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mercurial - 2.8.2-1ubuntu1.3

---------------
mercurial (2.8.2-1ubuntu1.3) trusty-security; urgency=medium

  [ Jamie Strandboge ]
  * SECURITY UPDATE: fix for improperly handling case-insensitive paths on
    Windows and OS X clients
    - http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3
    - http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e
    - http://selenic.com/repo/hg-stable/rev/6dad422ecc5a
    - CVE-2014-9390
    - LP: #1404035

  [ Marc Deslauriers ]
  * SECURITY UPDATE: arbitrary command exection via crafted repository
    name in a clone command
    - d/p/from_upstream__sshpeer_more_thorough_shell_quoting.patch: add
      more thorough shell quoting to mercurial/sshpeer.py.
    - CVE-2014-9462
  * debian/patches/fix_ftbfs_patchbomb_test.patch: fix patchbomb test.

 -- Marc Deslauriers <email address hidden> Wed, 17 Jun 2015 10:51:42 -0400

Changed in mercurial (Ubuntu Trusty):
status: In Progress → Fix Released
Jeremy Bicha (jbicha) on 2016-11-04
Changed in libgit2 (Ubuntu Utopic):
status: Confirmed → Invalid
Changed in libgit2 (Ubuntu):
status: Confirmed → Fix Released
Changed in jgit (Ubuntu):
status: Confirmed → Fix Released
Changed in jgit (Ubuntu Utopic):
status: Confirmed → Invalid
Changed in jgit (Ubuntu Vivid):
status: Confirmed → Invalid
Changed in libgit2 (Ubuntu Vivid):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers