Rapid7 VulnDB

USN-2470-1: Git vulnerability

Back to Search

USN-2470-1: Git vulnerability

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
01/13/2015
Created
07/25/2018
Added
01/15/2015
Modified
07/04/2017

Description

Matt Mackall and Augie Fackler discovered that Git incorrectly handled certainfilesystem paths. A remote attacker could possibly use this issue to executearbitrary code if the Git tree is stored in an HFS+ or NTFS filesystem. Theremote attacker would need write access to a Git repository that the victimpulls from. The problem can be corrected by updating your system to the following package version: To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. After a standard system update you need to set the core.protectHFS and/orcore.protectNTFS Git configuration variables to "true" if you store Git treesin HFS+ and/or NTFS filesystems. If you host Git trees, setting thecore.protectHFS, core.protectNTFS, and receive.fsckObjects Git configurationvariables to "true" will cause your Git server to reject objects containingmalicious paths intended to overwrite the Git metadata. CVE-2014-9390

Solution(s)

  • ubuntu-upgrade-git

References

  • ubuntu-upgrade-git

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;