Upgrade Git Client To Avoid Vulnerability
Written by Ian Elliot   
Friday, 19 December 2014

If you use Git or GitHub then you need to upgrade you Git client to avoid a potential security breach. 

 

gitlogo

 

The problem affecting all versions of the Git client was announced yesterday. The vulnerability is trivial - an attacker can craft a Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository. This then causes the config file to execute any code that was supplied by the malicious repository. The config file can contain aliases for Git commands and hence the malicious config file can re-purpose Git commands for just about anything it wants to. This is the sense in which the attacker can execute almost any code they want. 

The cause of the problem is that it is perfectly OK to have a .Git/config, or any other capitalization of .git/config as a file and as part of the repository and it is treated as a standard folder different from .git/config which is outside of the repository. However, OSX and Windows use case insensitive file systems and the result is that .Git/config is the same as .git/config and so copying it overwrites the original .git/config. If you are working with Linux or Unix, or any case sensitive operating system, then the Git client works as planned. 

That is, on any operating system the Git client is "clever" enough to avoid copying .git/config in the repository over the real .git/config file, but it allows files like .Git/config to be copied and on those operating systems where case doesn't make a difference to file names the result is copying over .git/config.

 

gitfiles

 

If you are a bit surprised that such a stupid bug survived so long, then perhaps it is worth pointing out the Linux/Unix mind set is that different capitalizations are different symbols and Windows/OSX are both secondary to Linux. 

Overall the risk isn't that great, because anyone wanting to make use of the defect would have to have commit rights to create the malicious repository and thus you would probably have to work with a public repository. 

The solution is to install the latest versions of the Git client. There is also a problem with third party software that makes use of the libgit2 and JGit libraries and there are updates for these. 

GitHub is also affected by the problem and, as well as advising people to install the latest client, it has instituted a verification procedure that makes sure that they are not hosting any trees that contain folders that just a recapitalization of .git/config. Thus there can be no malicious public repositories on GitHub.

 

giticon

The moral is if you write programs that assume case sensitivity make sure you allow for operating systems that don't.

 

More Information

Git Announcment

Vulnerability announced: update your Git clients

Related Articles

GitHub for Windows

Git and GitHub Top in Popularity Stakes

 

To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.

 

Banner


Arduino IoT Cloud Public Beta
15/02/2019

Everyone seems to want to provide an IoT solution, but it's a tough market to crack. Now Arduino has an easy to use cloud solution, but can you trust it? And is it even needed?



Amazon's Delivery Scout
26/01/2019

As we have said before, self-driving delivery vehicles are going to be as disruptive, if not more so, than self-driving cars and they might be here sooner. Amazon has, at long last, stopped pretending [ ... ]


More News

 

Python

 



 

Comments




or email your comment to: comments@i-programmer.info

 

 

 

Last Updated ( Friday, 19 December 2014 )