14 DAY TRIAL // A vulnerability in the official Git client for Windows and Mac operating systems has been discovered, presenting the potential of executing unauthorized commands on the users’ machines.
A fix has been created and all developers relying on the distributed version control software are urged to update to the latest release. It is also recommended to tread with care when cloning or accessing Git repositories hosted on suspicious locations.
The bug is critical as it affects all versions of the Git client and compatible software offering access to Git repositories.
OSes with case-insensitive filesystems are affected
An official advisory explains that the risk consists in the fact that “an attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine.”
The only prerequisite is for the filesystem to be case-insensitive (no two files with the same name, but characters in different cases can exist in the same folder), which means that Linux users are safe if they use a case-sensitive filesystem. However, any version of Windows (NTFS) and OS X (HFS+) is susceptible to attacks taking advantage of this vulnerability.
Malicious Git trees are not present on github.com because the administrators employ a verification mechanism for the trees in the source code when they are pushed.
On the other hand, there are third-party repositories that are either not curated at all or the process is faulty; users accessing these locations may be at risk.
GitHub has been double-checked for malicious content
Out of extra caution, the administrators of github.com ran an automated scan on all content available in the repository, in case something bad might have evaded the initial verification process before the discovery of the security flaw.
“This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data,” it is said in the advisory.
Developers can get the updated versions of the client for Windows and Mac. The correction has also been added to the bundled version of the command-line variant of the Git client.
Credit for the discovery of the glitch, which is now identified as CVE-2014-9390, goes to the developers of Mercurial, a Python-based distributed version control system, Matt Mackall and Augie Fackler in particular.
