CVE-2014-9390

Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
git	24.04 LTS noble	Fixed 1:2.1.4-2
	23.10 mantic	Fixed 1:2.1.4-2
	23.04 lunar	Fixed 1:2.1.4-2
	22.10 kinetic	Fixed 1:2.1.4-2
	22.04 LTS jammy	Fixed 1:2.1.4-2
	21.10 impish	Fixed 1:2.1.4-2
	21.04 hirsute	Fixed 1:2.1.4-2
	20.10 groovy	Fixed 1:2.1.4-2
	20.04 LTS focal	Fixed 1:2.1.4-2
	19.10 eoan	Fixed 1:2.1.4-2
	19.04 disco	Fixed 1:2.1.4-2
	18.10 cosmic	Fixed 1:2.1.4-2
	18.04 LTS bionic	Fixed 1:2.1.4-2
	17.10 artful	Fixed 1:2.1.4-2
	17.04 zesty	Fixed 1:2.1.4-2
	16.10 yakkety	Fixed 1:2.1.4-2
	16.04 LTS xenial	Fixed 1:2.1.4-2
	15.10 wily	Fixed 1:2.1.4-2
	15.04 vivid	Fixed 1:2.1.4-2
	14.10 utopic	Fixed 1:2.1.0-1ubuntu0.1
	14.04 LTS trusty	Fixed 1:1.9.1-1ubuntu0.1
	12.04 LTS precise	Fixed 1:1.7.9.5-1ubuntu0.1
	10.04 LTS lucid	Not in release
git-core	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	21.10 impish	Not in release
	21.04 hirsute	Not in release
	20.10 groovy	Not in release
	20.04 LTS focal	Not in release
	19.10 eoan	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	15.10 wily	Not in release
	15.04 vivid	Not in release
	14.10 utopic	Not in release
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Ignored
jgit	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	19.10 eoan	Not affected
	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Ignored
	17.04 zesty	Ignored
	16.10 yakkety	Ignored
	16.04 LTS xenial	Not affected
	15.10 wily	Ignored
	15.04 vivid	Ignored
	14.10 utopic	Ignored
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release
libgit2	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	19.10 eoan	Not affected
	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Ignored
	17.04 zesty	Ignored
	16.10 yakkety	Ignored
	16.04 LTS xenial	Not affected
	15.10 wily	Ignored
	15.04 vivid	Ignored
	14.10 utopic	Ignored
	14.04 LTS trusty	Vulnerable
	12.04 LTS precise	Not in release
	10.04 LTS lucid	Not in release
mercurial	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	19.10 eoan	Not affected
	19.04 disco	Not affected
	18.10 cosmic	Not affected
	18.04 LTS bionic	Not affected
	17.10 artful	Not affected
	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.10 utopic	Fixed 3.1.1-1ubuntu0.2
	14.04 LTS trusty	Fixed 2.8.2-1ubuntu1.3
	12.04 LTS precise	Fixed 2.0.2-1ubuntu1.2
	10.04 LTS lucid	Ignored

Notes

kees

This CVE is about the git VCS. The "git" from hardy and earlier is not what was "git-core".

jdstrand

Maverick and later renamed 'git-core' to 'git', so 'git' in these releases does refer to git VCS. initially marked 'low' since default filesystems on Ubuntu are case-sensitive, however file servers serving these reopositories to clients need to be patched, so upping to medium

tyhicks

git upstream fixed a minor regression in the HFS+ .git filtering with commit 6aaf956b

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
git	Upstream: ?id=461 Upstream: ?id=96b Upstream: ?id=cc2 Upstream: ?id=450 Upstream: ?id=76e Upstream: ?id=616 Upstream: ?id=a42 Upstream: ?id=a18 Upstream: ?id=1d1 Upstream: ?id=2b4 Upstream: ?id=d08 Upstream: ?id=6aa
mercurial	Upstream: http://selenic.com/repo/hg-stable/rev/035434b407be Upstream: http://selenic.com/repo/hg-stable/rev/885bd7c5c7e3 Upstream: http://selenic.com/repo/hg-stable/rev/c02a05cc6f5e Upstream: http://selenic.com/repo/hg-stable/rev/7a5bcd471f2e Upstream: http://selenic.com/repo/hg-stable/rev/6dad422ecc5a

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-2470-1
Git vulnerability
14 January 2015

Cvss 3 Severity Score