Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532984 (CVE-2014-9390) - <dev-vcs/git-{1.8.5.6,1.9.5,2.0.5} : arbitrary command execution in the client machine when cloning a mailicious tree (CVE-2014-9390)
Summary: <dev-vcs/git-{1.8.5.6,1.9.5,2.0.5} : arbitrary command execution in the clien...
Status: RESOLVED FIXED
Alias: CVE-2014-9390
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/blog/1938-vulnerab...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-18 21:31 UTC by Andreas K. Hüttel
Modified: 2015-09-24 17:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas K. Hüttel gentoo-dev 2014-12-18 21:31:40 UTC
https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html

Note, nearly everyone in Gentoo land should be fine as the vulnerability only affects git clones on case-insensitive file systems or on HFS+.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2014-12-18 22:12:25 UTC
+*git-2.2.1 (18 Dec 2014)
+*git-2.1.4 (18 Dec 2014)
+*git-2.0.5 (18 Dec 2014)
+*git-1.9.5 (18 Dec 2014)
+*git-1.8.5.6 (18 Dec 2014)
+
+  18 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> +git-1.8.5.6.ebuild,
+  -git-1.9.3.ebuild, +git-1.9.5.ebuild, +git-2.0.5.ebuild, -git-2.1.3.ebuild,
+  +git-2.1.4.ebuild, -git-2.2.0.ebuild, +git-2.2.1.ebuild,
+  -files/git-1.8.4-optional-cvs.patch:
+  Security bump (bug #532984). Removed old.
+

Arches please test and mark stable the following versions:

=dev-vcs/git-1.8.5.6
=dev-vcs/git-1.9.5
=dev-vcs/git-2.0.5

Target KEYWORDS are:
alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 2 Agostino Sarubbo gentoo-dev 2014-12-21 11:38:26 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-21 11:43:12 UTC
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-21 21:01:48 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2014-12-23 09:36:55 UTC
alpha stable
Comment 6 Markus Meier gentoo-dev 2014-12-23 12:48:15 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-24 14:36:39 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-24 14:46:44 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-12-25 11:28:31 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-26 09:30:08 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Lars Wendler (Polynomial-C) gentoo-dev 2014-12-26 13:55:32 UTC
+  26 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -git-1.8.3.2-r1.ebuild,
+  -git-1.8.5.5.ebuild, -git-2.0.4.ebuild, -files/git-1.8.2-optional-cvs.patch,
+  -files/git-daemon.initd:
+  Removed vulnerable versions.
+
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-29 01:58:54 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-09-24 17:06:35 UTC
This issue was resolved and addressed in
 GLSA 201509-06 at https://security.gentoo.org/glsa/201509-06
by GLSA coordinator Kristian Fiskerstrand (K_F).