Upgrade Git Client To Avoid Vulnerability
Written by Ian Elliot   
Friday, 19 December 2014

If you use Git or GitHub then you need to upgrade you Git client to avoid a potential security breach. 

 

gitlogo

 

The problem affecting all versions of the Git client was announced yesterday. The vulnerability is trivial - an attacker can craft a Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository. This then causes the config file to execute any code that was supplied by the malicious repository. The config file can contain aliases for Git commands and hence the malicious config file can re-purpose Git commands for just about anything it wants to. This is the sense in which the attacker can execute almost any code they want. 

The cause of the problem is that it is perfectly OK to have a .Git/config, or any other capitalization of .git/config as a file and as part of the repository and it is treated as a standard folder different from .git/config which is outside of the repository. However, OSX and Windows use case insensitive file systems and the result is that .Git/config is the same as .git/config and so copying it overwrites the original .git/config. If you are working with Linux or Unix, or any case sensitive operating system, then the Git client works as planned. 

That is, on any operating system the Git client is "clever" enough to avoid copying .git/config in the repository over the real .git/config file, but it allows files like .Git/config to be copied and on those operating systems where case doesn't make a difference to file names the result is copying over .git/config.

 

gitfiles

 

If you are a bit surprised that such a stupid bug survived so long, then perhaps it is worth pointing out the Linux/Unix mind set is that different capitalizations are different symbols and Windows/OSX are both secondary to Linux. 

Overall the risk isn't that great, because anyone wanting to make use of the defect would have to have commit rights to create the malicious repository and thus you would probably have to work with a public repository. 

The solution is to install the latest versions of the Git client. There is also a problem with third party software that makes use of the libgit2 and JGit libraries and there are updates for these. 

GitHub is also affected by the problem and, as well as advising people to install the latest client, it has instituted a verification procedure that makes sure that they are not hosting any trees that contain folders that just a recapitalization of .git/config. Thus there can be no malicious public repositories on GitHub.

 

giticon

The moral is if you write programs that assume case sensitivity make sure you allow for operating systems that don't.

 

More Information

Git Announcment

Vulnerability announced: update your Git clients

Related Articles

GitHub for Windows

Git and GitHub Top in Popularity Stakes

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.

 

Banner


Google Extends Bug Bounty To Third Party Apps
03/09/2019

Google is extending its bug bounty scheme to third party apps in the Google Play Store. The reward will apply to problems found in any app that has more than 100 million installs.



AI Learns To Solve Rubik's Cube - Fast!
31/08/2019

Yes, this is another "AI masters a game or puzzle" piece of news, but this one is surprising. Having learned to solve a logical problem, AI turns in a performance that typically not only beats a human [ ... ]


More News

 

graphics

 



 

Comments




or email your comment to: comments@i-programmer.info

 

 

 

Last Updated ( Friday, 19 December 2014 )