Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| https://news.ycombinator.com/item?id=8769667 | patch third party advisory issue tracking |
| http://article.gmane.org/gmane.linux.kernel/1853266 | broken link |
| http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html | third party advisory |
| http://mercurial.selenic.com/wiki/WhatsNew | third party advisory release notes |
| http://support.apple.com/kb/HT204147 | vendor advisory |
| https://github.com/blog/1938-git-client-vulnerability-announced | vendor advisory |
| http://securitytracker.com/id?1031404 | third party advisory vdb entry |
| https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915 | third party advisory |
| https://libgit2.org/security/ | product |