|
|
Subscribe / Log in / New account

Mageia alert MGASA-2014-0546 (git)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2014-0546: Updated git packages fix security vulnerability 


Date:
    	      Tue, 23 Dec 2014 21:35:57 +0100


Message-ID:
    	      <20141223203557.3964D41B44@valstar.mageia.org>


MGASA-2014-0546 - Updated git packages fix security vulnerability

Publication date: 23 Dec 2014
URL: http://advisories.mageia.org/MGASA-2014-0546.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2014-9390

Description:
It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when the client
performed a "git pull".  Because git permitted committing .Git/config (or any
case variation), on the pull this would replace the user's .git/config.  If
this malicious config file contained defined external commands (such as for
invoking and editor or an external diff utility) it could allow for the
execution of arbitrary code with the privileges of the user running the git
client (CVE-2014-9390).

References:
- https://bugs.mageia.org/show_bug.cgi?id=14849
- http://article.gmane.org/gmane.linux.kernel/1853266
- https://bugzilla.redhat.com/show_bug.cgi?id=1175960
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390

SRPMS:
- 4/core/git-1.8.5.6-1.mga4
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds