Critical Git Vulnerability Patched: Update Your Git Clients Immediately

photo credit: git - the simple guide
photo credit: git – the simple guide

Git just announced version 2.2.1, a maintenance release that includes a security fix for a critical vulnerability that affects those using Windows and Mac OS X Git clients. This update also includes new releases with the same security fix for older Git versions.

GitHub confirmed that GitHub for Windows and GitHub for Mac are both affected and should be updated immediately. The GitHub engineering team explains how attackers might exploit the vulnerability:

The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to ovewrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.

If you’re using GitHub’s client for Windows or Mac, the security issue has been patched and is ready for download. This includes an update to both the desktop application and the bundled version of the Git command-line client. If you’re using any other kind of Git client or software that connects to Git repositories, you’ll want to update immediately.

Although the issue should not affect Linux users, the release announcement encourages those who operate hosting services with users that fetch from Windows or Mac OS X machines to update in order to protect users with older versions of Git. Check out the 2.2.1 release notes for further information on the security fixes.

2 Comments


  1. Can someone please point me to a -good- resource which explains how to update Git on Mac? I have version 1.8.4.2 running but the documentation on the Github site is conflicting and cunfusing.

    Look here:
    http://git-scm.com/downloads
    On the right a big notification “Latest source Release 2.2.1” “Downloads for Mac”. But clicking through you get to this page:
    http://git-scm.com/download/mac
    Where it says: “You are downloading version 2.0.1 of Git for the Mac platform. This is the most recent maintained build for this platform. It was released 6 months ago, on 2014-06-29.”
    So that is an old version.

    So going back to the first page, there are two more choices: a GUI client or Git via Git. The GUI client, GitHub for Mac, nowhere does it explain if it also contains Git itself and/or if it will upgrade my version to the newest. Or if it will conflict with my current version.

    So, Git via Git: like explained here,
    http://git-scm.com/book/en/v2/Getting-Started-Installing-Git
    at the bottom are instructions, but for me those are confusing as well.

    Last, on some websites people explain they use Homebrew. But that’s yet another piece of code and dependency I have to install. And about which I read conflicting opinions (some people warning it messes up my system, etc).

    I just want a simple method which allows me to cleanly update my Git version. I don’t understand why it’s so difficult.

    Report

Comments are closed.