Git just announced version 2.2.1, a maintenance release that includes a security fix for a critical vulnerability that affects those using Windows and Mac OS X Git clients. This update also includes new releases with the same security fix for older Git versions.
GitHub confirmed that GitHub for Windows and GitHub for Mac are both affected and should be updated immediately. The GitHub engineering team explains how attackers might exploit the vulnerability:
The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to ovewrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.
If you’re using GitHub’s client for Windows or Mac, the security issue has been patched and is ready for download. This includes an update to both the desktop application and the bundled version of the Git command-line client. If you’re using any other kind of Git client or software that connects to Git repositories, you’ll want to update immediately.
Although the issue should not affect Linux users, the release announcement encourages those who operate hosting services with users that fetch from Windows or Mac OS X machines to update in order to protect users with older versions of Git. Check out the 2.2.1 release notes for further information on the security fixes.
Thanks for the heads up.