Upgrade Git Client To Avoid Vulnerability
Written by Ian Elliot   
Friday, 19 December 2014

If you use Git or GitHub then you need to upgrade you Git client to avoid a potential security breach. 




The problem affecting all versions of the Git client was announced yesterday. The vulnerability is trivial - an attacker can craft a Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository. This then causes the config file to execute any code that was supplied by the malicious repository. The config file can contain aliases for Git commands and hence the malicious config file can re-purpose Git commands for just about anything it wants to. This is the sense in which the attacker can execute almost any code they want. 

The cause of the problem is that it is perfectly OK to have a .Git/config, or any other capitalization of .git/config as a file and as part of the repository and it is treated as a standard folder different from .git/config which is outside of the repository. However, OSX and Windows use case insensitive file systems and the result is that .Git/config is the same as .git/config and so copying it overwrites the original .git/config. If you are working with Linux or Unix, or any case sensitive operating system, then the Git client works as planned. 

That is, on any operating system the Git client is "clever" enough to avoid copying .git/config in the repository over the real .git/config file, but it allows files like .Git/config to be copied and on those operating systems where case doesn't make a difference to file names the result is copying over .git/config.




If you are a bit surprised that such a stupid bug survived so long, then perhaps it is worth pointing out the Linux/Unix mind set is that different capitalizations are different symbols and Windows/OSX are both secondary to Linux. 

Overall the risk isn't that great, because anyone wanting to make use of the defect would have to have commit rights to create the malicious repository and thus you would probably have to work with a public repository. 

The solution is to install the latest versions of the Git client. There is also a problem with third party software that makes use of the libgit2 and JGit libraries and there are updates for these. 

GitHub is also affected by the problem and, as well as advising people to install the latest client, it has instituted a verification procedure that makes sure that they are not hosting any trees that contain folders that just a recapitalization of .git/config. Thus there can be no malicious public repositories on GitHub.



The moral is if you write programs that assume case sensitivity make sure you allow for operating systems that don't.


More Information

Git Announcment

Vulnerability announced: update your Git clients

Related Articles

GitHub for Windows

Git and GitHub Top in Popularity Stakes


To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, FacebookGoogle+ or Linkedin,  or sign up for our weekly newsletter.



Apple Announces App Privacy Revamp

Apple has released details of an overhaul of app privacy disclosure that will affect any developer with an app on the Apple Store.

Keep Up To Date With Microsoft's .NET Live TV

Microsoft has a new portal for all its .NET and Visual Studio live streams. While the original Twitch and YouTube channels aren't going away, .NET Live TV provides easy access to what's currently on o [ ... ]

More News






or email your comment to: comments@i-programmer.info




Last Updated ( Friday, 19 December 2014 )