[Bug 1404035] Re: Errors in handling case-sensitive directories allow for remote code execution on pull

Jamie Strandboge jamie at ubuntu.com
Fri Dec 19 21:39:30 UTC 2014 

FYI, mercurial is in universe and is therefore community maintained. I
took a look at it and have prepared packages in https://launchpad.net
/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages. If someone
could test them and verify they are ok, I can push them out as a
security update.

** Changed in: mercurial (Ubuntu)
       Status: Confirmed => In Progress

** Also affects: git (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: mercurial (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: git (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: mercurial (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: git (Ubuntu Vivid)
   Importance: High
       Status: Confirmed

** Also affects: mercurial (Ubuntu Vivid)
   Importance: High
       Status: In Progress

** Also affects: git (Ubuntu Utopic)
   Importance: Undecided
       Status: New

** Also affects: mercurial (Ubuntu Utopic)
   Importance: Undecided
       Status: New

** Changed in: mercurial (Ubuntu Precise)
       Status: New => In Progress

** Changed in: mercurial (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: mercurial (Ubuntu Precise)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: mercurial (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: mercurial (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: mercurial (Ubuntu Trusty)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: mercurial (Ubuntu Utopic)
       Status: New => In Progress

** Changed in: mercurial (Ubuntu Utopic)
   Importance: Undecided => Medium

** Changed in: mercurial (Ubuntu Utopic)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: mercurial (Ubuntu Vivid)
   Importance: High => Medium

** Changed in: mercurial (Ubuntu Vivid)
     Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: git (Ubuntu Precise)
       Status: New => In Progress

** Changed in: git (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: git (Ubuntu Precise)
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: git (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: git (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: git (Ubuntu Trusty)
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: git (Ubuntu Utopic)
       Status: New => In Progress

** Changed in: git (Ubuntu Utopic)
   Importance: Undecided => Medium

** Changed in: git (Ubuntu Utopic)
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Changed in: git (Ubuntu Vivid)
       Status: Confirmed => In Progress

** Changed in: git (Ubuntu Vivid)
   Importance: High => Medium

** Changed in: git (Ubuntu Vivid)
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/1404035

Title:
  Errors in handling case-sensitive directories allow for remote code
  execution on pull

Status in git package in Ubuntu:
  In Progress
Status in mercurial package in Ubuntu:
  In Progress
Status in git source package in Precise:
  In Progress
Status in mercurial source package in Precise:
  In Progress
Status in git source package in Trusty:
  In Progress
Status in mercurial source package in Trusty:
  In Progress
Status in git source package in Utopic:
  In Progress
Status in mercurial source package in Utopic:
  In Progress
Status in git source package in Vivid:
  In Progress
Status in mercurial source package in Vivid:
  In Progress

Bug description:
  From the upstream announcement[1]:

  
  This is a security-fix for CVE-2014-9390, which affects users on
  Windows and Mac OS X but not typical UNIX users.  A set of new
  releases for older maintenance tracks (v1.8.5.6, v1.9.5, v2.0.5, and
  v2.1.4) are published at the same time and they contain the same fix.
  Various implementations and ports, including Git for Windows, Git OS
  X installer, JGit & EGit, libgit2 (and Visual Studio which uses it)
  have been updated at the same time.

  Even though the issue may not affect Linux users, if you are a
  hosting service whose users may fetch from your service to Windows
  or Mac OS X machines, you are strongly encouraged to update to
  protect such users who use existing versions of Git.

  This issue also affects hg[2].

  [1]: http://article.gmane.org/gmane.linux.kernel/1853266
  [2]: http://mercurial.selenic.com/wiki/WhatsNew#Mercurial_3.2.3_.282014-12-18.29

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1404035/+subscriptions

More information about the foundations-bugs mailing list