SB2013082702 - Input validation error in git (Alpine package)
Published: August 27, 2013
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2014-9390)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine; libgit2; Egit; and JGit allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e2b70082fe35c6f92ccd0ce552a3dea1e769b0fa
- https://git.alpinelinux.org/aports/commit/?id=91429ca1b2e79d29a508d429dfab4c988d7239a3
- https://git.alpinelinux.org/aports/commit/?id=de4229a6e3c8b341a9e045a0e7248ef19ec1a5b7
- https://git.alpinelinux.org/aports/commit/?id=1253f80db0b24722e01268175fe6982c37f1ee78