[Secure-testing-team] Bug#780989: dulwich: CVE-2014-9390: does not prevent to write files in commits with invalid paths to working tree
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 22 20:53:16 UTC 2015
Source: dulwich
Version: 0.9.8-1
Severity: grave
Tags: security upstream fixed-upstream
Hi Jelmer,
the following vulnerability got a separate CVE assigned after asking
for it on oss-security. I choose grave as severity as it allows
arbitrary code execution, if one clones from a remote git repo and
subsequently commits via dulwich. Please let me know if you don't
agree.
CVE-2014-9706[0]:
does not prevent to write files in commits with invalid paths to working tree
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-9706
Please adjust the affected versions in the BTS as needed (I guess the
issue is also present in 0.8.5, but have not yet checked this).
Regards,
Salvatore
More information about the Secure-testing-team
mailing list