Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are remote git clients vulnerable to CVE-2014-9390 if only trusted users have SSH access?

Tags:

git

If I have a git client on a remote server and only X users have SSH access, should I be concerned with updating git on that server specifically to patch against CVE-2014-9390? It seems to me that the vulnerability is strictly related to .Git/config being clobbered on a case insensitive filesystem, which would require a git push, which would only ever be accepted (in this case) by trusted users that already have SSH access. Is that the case? Am I missing anything?

Related reading:

  • http://article.gmane.org/gmane.linux.kernel/1853266
  • http://git-blame.blogspot.com.es/2014/12/git-1856-195-205-214-and-221-and.html
  • https://github.com/blog/1938-vulnerability-announced-update-your-git-clients
like image 996
Charlie Schliesser Avatar asked Dec 18 '14 22:12

Charlie Schliesser


1 Answers

This only affects people who pull from untrustworthy repositories. If you know your repository, to which only trustworthy people have update access, does not have malicious contents, you would be safe without the patch.

If any of these trusted users' account is compromised and an impersonator is allowed to push malicious contents there, of course you are lost. But since you are assuming that will never happen, so ...

like image 165
Gitster Avatar answered Nov 15 '22 10:11

Gitster