CVE-2014-9390

Name	CVE-2014-9390
Description	Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-237-1
Debian Bugs	773640, 774048, 774050

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
dulwich (PTS)	jessie	0.9.7-3	vulnerable
	stretch	0.16.3-1	fixed
	buster	0.19.11-2	fixed
	bullseye	0.20.15-1	fixed
	bookworm	0.21.2-1	fixed
	trixie	0.21.6-1	fixed
	sid	0.22.5-1	fixed
git (PTS)	jessie, jessie (lts)	1:2.1.4-2.1+deb8u14	fixed
	stretch (security)	1:2.11.0-3+deb9u7	fixed
	stretch (lts), stretch	1:2.11.0-3+deb9u11	fixed
	buster (security), buster, buster (lts)	1:2.20.1-2+deb10u9	fixed
	bullseye	1:2.30.2-1+deb11u2	fixed
	bullseye (security)	1:2.30.2-1+deb11u3	fixed
	bookworm (security), bookworm	1:2.39.5-0+deb12u1	fixed
	trixie	1:2.45.2-1	fixed
	sid	1:2.45.2-1.2	fixed
jgit (PTS)	jessie	3.4.0-2	vulnerable
	stretch	3.7.1-4	fixed
	buster	3.7.1-6	fixed
	bullseye	4.11.9-1	fixed
	bookworm	4.11.9-2	fixed
	sid, trixie	6.7.0-2	fixed
libgit2 (PTS)	jessie, jessie (lts)	0.21.1-3+deb8u1	fixed
	stretch (security)	0.25.1+really0.24.6-1+deb9u1	fixed
	stretch (lts), stretch	0.25.1+really0.24.6-1+deb9u3	fixed
	buster (security), buster, buster (lts)	0.27.7+dfsg.1-0.2+deb10u2	fixed
	bullseye (security), bullseye	1.1.0+dfsg.1-4+deb11u2	fixed
	bookworm (security), bookworm	1.5.1+ds-1+deb12u1	fixed
	trixie	1.8.2~rc1+ds2-1	fixed
	sid	1.8.4+ds-2	fixed
mercurial (PTS)	jessie, jessie (lts)	3.1.2-2+deb8u7	fixed
	stretch (security), stretch (lts), stretch	4.0-1+deb9u2	fixed
	buster	4.8.2-1+deb10u1	fixed
	bullseye	5.6.1-4	fixed
	bookworm	6.3.2-1	fixed
	trixie	6.8.2-1	fixed
	sid	6.9-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
dulwich	source	(unstable)	0.10.1-1
git	source	(unstable)	1:2.1.4-1
jgit	source	(unstable)	3.7.0-1		774050
libgit2	source	jessie	0.21.1-3
libgit2	source	(unstable)	0.21.3-1		774048
mercurial	source	squeeze	1.6.4-1+deb6u1	DLA-237-1
mercurial	source	wheezy	2.2.2-4
mercurial	source	(unstable)	3.1.2-2		773640

Notes

[wheezy] - git <no-dsa> (Minor issue)
[squeeze] - git <no-dsa> (Minor issue)
[jessie] - jgit <no-dsa> (Minor issue)
[wheezy] - jgit <no-dsa> (Minor issue)
[squeeze] - mercurial <no-dsa> (Minor issue)
[jessie] - dulwich <no-dsa> (Minor issue)
[wheezy] - dulwich <no-dsa> (Minor issue)
[squeeze] - dulwich <no-dsa> (Minor issue)