Errors in handling case-sensitive directories allow for remote code execution on pull
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| git (Ubuntu) |
Medium
|
Unassigned | |||
| Precise |
Medium
|
Tyler Hicks | |||
| Trusty |
Medium
|
Tyler Hicks | |||
| Utopic |
Medium
|
Tyler Hicks | |||
| Vivid |
Medium
|
Unassigned | |||
| jgit (Ubuntu) |
Undecided
|
Unassigned | |||
| Trusty |
Undecided
|
Unassigned | |||
| Utopic |
Undecided
|
Unassigned | |||
| Vivid |
Undecided
|
Unassigned | |||
| libgit2 (Ubuntu) |
Undecided
|
Unassigned | |||
| Trusty |
Undecided
|
Unassigned | |||
| Utopic |
Undecided
|
Unassigned | |||
| Vivid |
Undecided
|
Unassigned | |||
| mercurial (Ubuntu) |
Medium
|
Unassigned | |||
| Precise |
Medium
|
Jamie Strandboge | |||
| Trusty |
Medium
|
Jamie Strandboge | |||
| Utopic |
Medium
|
Jamie Strandboge | |||
| Vivid |
Medium
|
Unassigned | |||
Bug Description
From the upstream announcement[1]:
This is a security-fix for CVE-2014-9390, which affects users on
Windows and Mac OS X but not typical UNIX users. A set of new
releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
v2.1.4) are published at the same time and they contain the same fix.
Various implementations and ports, including Git for Windows, Git OS
X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
have been updated at the same time.
Even though the issue may not affect Linux users, if you are a
hosting service whose users may fetch from your service to Windows
or Mac OS X machines, you are strongly encouraged to update to
protect such users who use existing versions of Git.
This issue also affects hg[2].
[1]: http://
[2]: http://
| Changed in git (Ubuntu): | |
| importance: | Undecided → High |
| information type: | Public → Public Security |
| Changed in mercurial (Ubuntu): | |
| importance: | Undecided → High |
| Changed in git (Ubuntu): | |
| status: | New → Confirmed |
| Changed in mercurial (Ubuntu): | |
| status: | New → Confirmed |
| Jamie Strandboge (jdstrand) wrote : | #1 |
| Changed in mercurial (Ubuntu): | |
| status: | Confirmed → In Progress |
| Changed in mercurial (Ubuntu Precise): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in mercurial (Ubuntu Trusty): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in mercurial (Ubuntu Utopic): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in mercurial (Ubuntu Vivid): | |
| importance: | High → Medium |
| assignee: | nobody → Jamie Strandboge (jdstrand) |
| Changed in git (Ubuntu Precise): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| Changed in git (Ubuntu Trusty): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| Changed in git (Ubuntu Utopic): | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| Changed in git (Ubuntu Vivid): | |
| status: | Confirmed → In Progress |
| importance: | High → Medium |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| Jamie Strandboge (jdstrand) wrote : | #2 |
Note, the packages in the ppa have not been tested yet (14.04-15.04 do pass the testsuite though, 12.04 needs a manual test run), so take care.
| no longer affects: | libgit2 (Ubuntu Precise) |
| Javi Merino (cibervicho) wrote : | #3 |
Jamie, I see in the changelog that you have applied this patches:
- http://
- http://
- http://
- http://
- http://
Have you checked with upstream if those are the only patches needed? Based on the release notes and the commit log I think you are right, but it may be worth double-checking with upstream.
| Launchpad Janitor (janitor) wrote : | #4 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in libgit2 (Ubuntu Trusty): | |
| status: | New → Confirmed |
| Changed in libgit2 (Ubuntu Utopic): | |
| status: | New → Confirmed |
| Changed in libgit2 (Ubuntu): | |
| status: | New → Confirmed |
| Jamie Strandboge (jdstrand) wrote : | #7 |
FYI, the 14.04 mercurial packages FTBFS due to an unrelated issue: https:/
| Javi Merino (cibervicho) wrote : | #8 |
Jamie, the problem you have is that the patch you've backported passes "repo" as the first parameter to context.
[0] http://
This is not the best explanation ever, I'll send a patch later today.
| Javi Merino (cibervicho) wrote : | #9 |
Find the patch for the failing test-commit.t attached.
The attachment "fix test-commit.t for mercurial_
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]
| tags: | added: patch |
| Jamie Strandboge (jdstrand) wrote : | #11 |
Thanks Javi! I've applied these and are testing them locally. I'll upload to the ppa once finished.
| Jamie Strandboge (jdstrand) wrote : | #12 |
mercurial on 15.04 was fixed in 3.1.2-2.
| Changed in mercurial (Ubuntu Vivid): | |
| status: | In Progress → Fix Released |
| assignee: | Jamie Strandboge (jdstrand) → nobody |
| Jamie Strandboge (jdstrand) wrote : | #13 |
Javi, alright, so I updated that test with your patch as mentioned (thanks) which I certainly would've needed to do anyway, but test-hghave.t.sh on 14.04 never finishes and FTBFS (and it does with unpatched mercurial too). I'm happy to look at this myself when I have more time, but do you have an idea why this is won't finish on 14.04, but does on other releases and Debian? Thanks
| Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package git - 1:2.1.0-1ubuntu0.1
---------------
git (1:2.1.
* SECURITY UPDATE: Add protections against malicious git commits that
overwrite git metadata on HFS+ and NTFS filesystems. Some of the
protections are enabled by default but the majority require git config
options to be enabled. Set the core.protectHFS and/or core.protectNTFS git
config variables to "true" if you use HFS+ and/or NTFS filesystems when
pulling from untrusted git trees. Set the core.protectHFS,
core.
if you host git trees and want to prevent malicious git commits from being
pushed to your server. (LP: #1404035)
- debian/
paths in git commits. Based on upstream patches.
- debian/rules: Set executable bit on a new test introduced in
0009-
- CVE-2014-9390
-- Tyler Hicks <email address hidden> Tue, 13 Jan 2015 12:42:16 -0600
| Changed in git (Ubuntu Utopic): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package git - 1:1.7.9.
---------------
git (1:1.7.
* SECURITY UPDATE: Add protections against malicious git commits that
overwrite git metadata on HFS+ and NTFS filesystems. Some of the
protections are enabled by default but the majority require git config
options to be enabled. Set the core.protectHFS and/or core.protectNTFS git
config variables to "true" if you use HFS+ and/or NTFS filesystems when
pulling from untrusted git trees. Set the core.protectHFS,
core.
if you host git trees and want to prevent malicious git commits from being
pushed to your server. (LP: #1404035)
- debian/
paths in git commits. Based on upstream patches.
- debian/rules: Set executable bit on a new test introduced in
0015-
- CVE-2014-9390
-- Tyler Hicks <email address hidden> Tue, 13 Jan 2015 12:42:19 -0600
| Changed in git (Ubuntu Precise): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #16 |
This bug was fixed in the package git - 1:1.9.1-1ubuntu0.1
---------------
git (1:1.9.
* SECURITY UPDATE: Add protections against malicious git commits that
overwrite git metadata on HFS+ and NTFS filesystems. Some of the
protections are enabled by default but the majority require git config
options to be enabled. Set the core.protectHFS and/or core.protectNTFS git
config variables to "true" if you use HFS+ and/or NTFS filesystems when
pulling from untrusted git trees. Set the core.protectHFS,
core.
if you host git trees and want to prevent malicious git commits from being
pushed to your server. (LP: #1404035)
- debian/
paths in git commits. Based on upstream patches.
- debian/rules: Set executable bit on a new test introduced in
0010-
- CVE-2014-9390
-- Tyler Hicks <email address hidden> Tue, 13 Jan 2015 12:42:17 -0600
| Changed in git (Ubuntu Trusty): | |
| status: | In Progress → Fix Released |
| Tyler Hicks (tyhicks) wrote : | #17 |
Vivid's git was previously updated for CVE-2014-9390 by an auto sync of git 1:2.1.4-2 from Debian Sid.
| Changed in git (Ubuntu Vivid): | |
| assignee: | Tyler Hicks (tyhicks) → nobody |
| status: | In Progress → Fix Released |
| Changed in jgit (Ubuntu Trusty): | |
| status: | New → Confirmed |
| Changed in jgit (Ubuntu Utopic): | |
| status: | New → Confirmed |
| Changed in jgit (Ubuntu Vivid): | |
| status: | New → Confirmed |
| Launchpad Janitor (janitor) wrote : | #18 |
This bug was fixed in the package mercurial - 2.0.2-1ubuntu1.2
---------------
mercurial (2.0.2-1ubuntu1.2) precise-security; urgency=medium
[ Jamie Strandboge ]
* SECURITY UPDATE: fix for improperly handling case-insensitive paths on
Windows and OS X clients
- http://
- http://
- http://
- CVE-2014-9390
- LP: #1404035
[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary command exection via crafted repository
name in a clone command
- d/p/from_
more thorough shell quoting to mercurial/
- CVE-2014-9462
-- Marc Deslauriers <email address hidden> Wed, 17 Jun 2015 13:27:17 -0400
| Changed in mercurial (Ubuntu Precise): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #19 |
This bug was fixed in the package mercurial - 3.1.1-1ubuntu0.2
---------------
mercurial (3.1.1-1ubuntu0.2) utopic-security; urgency=medium
[ Jamie Strandboge ]
* SECURITY UPDATE: fix for improperly handling case-insensitive paths on
Windows and OS X clients
- http://
- http://
- http://
- CVE-2014-9390
- LP: #1404035
[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary command exection via crafted repository
name in a clone command
- d/p/from_
more thorough shell quoting to mercurial/
- CVE-2014-9462
-- Marc Deslauriers <email address hidden> Wed, 17 Jun 2015 13:09:05 -0400
| Changed in mercurial (Ubuntu Utopic): | |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package mercurial - 2.8.2-1ubuntu1.3
---------------
mercurial (2.8.2-1ubuntu1.3) trusty-security; urgency=medium
[ Jamie Strandboge ]
* SECURITY UPDATE: fix for improperly handling case-insensitive paths on
Windows and OS X clients
- http://
- http://
- http://
- CVE-2014-9390
- LP: #1404035
[ Marc Deslauriers ]
* SECURITY UPDATE: arbitrary command exection via crafted repository
name in a clone command
- d/p/from_
more thorough shell quoting to mercurial/
- CVE-2014-9462
* debian/
-- Marc Deslauriers <email address hidden> Wed, 17 Jun 2015 10:51:42 -0400
| Changed in mercurial (Ubuntu Trusty): | |
| status: | In Progress → Fix Released |
| Changed in libgit2 (Ubuntu Utopic): | |
| status: | Confirmed → Invalid |
| Changed in libgit2 (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Changed in jgit (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Changed in jgit (Ubuntu Utopic): | |
| status: | Confirmed → Invalid |
| Changed in jgit (Ubuntu Vivid): | |
| status: | Confirmed → Invalid |
| Changed in libgit2 (Ubuntu Vivid): | |
| status: | Confirmed → Invalid |
FYI, mercurial is in universe and is therefore community maintained. I took a look at it and have prepared packages in https:/