Dulwich Project Dulwich vulnerabilities

CVE-2014-9390 [CRITICAL] CVE-2014-9390: Git before 1 Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config

CVE-2017-16228 [CRITICAL] CVE-2017-16228: Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117.

CVE-2015-0838 [HIGH] CWE-119 CVE-2015-0838: Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9 Buffer overflow in the C implementation of the apply_delta function in _pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file.

CVE-2014-9706 [HIGH] CWE-19 CVE-2014-9706: The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to ex The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.