Advisories » MGASA-2014-0546

Updated git packages fix security vulnerability

Publication date: 23 Dec 2014
Modification date: 23 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9390

Description

It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when the client
performed a "git pull".  Because git permitted committing .Git/config (or any
case variation), on the pull this would replace the user's .git/config.  If
this malicious config file contained defined external commands (such as for
invoking and editor or an external diff utility) it could allow for the
execution of arbitrary code with the privileges of the user running the git
client (CVE-2014-9390).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14849
• http://article.gmane.org/gmane.linux.kernel/1853266
• https://bugzilla.redhat.com/show_bug.cgi?id=1175960
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390

SRPMS

4/core

• git-1.8.5.6-1.mga4