Critical Git Vulnerability Allows for Remote Code Execution
Critical Vulnerability in Git Clients as well as Any Software that interacts with Git Repositories
A critical vulnerability affecting all version of GitHub clients and any software that interacts with repositories connected to it has been recently uncovered. The vulnerability is client-based, meaning that neither GitHub.com nor GitHub Enterprises are directly affected. Users of GitHub are advised to upgrade their clients as soon as possible to stay safe.
Mac and Windows Affected
Ken Westin, Sr. Technical Marketing Manager and Security Analyst at Tripwire, explains the nature of the bug: “This vulnerability has serious implications for developers and other users of the popular Git client utilities. If a vulnerable Git client connects to a remote Git server that has a malicious Git tree, attackers can overwrite a configuration file and use remote code execution to compromise the system.”
“Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability,” comments GitHub’s engineering team in a statement regarding the bug
GitHub has released updated version for its GitHub for Windows and GitHub for Mac clients. You can update your respective clients by clicking on the respective hyperlinks. Both the updates patch the vulnerability on the client systems, including the desktop application and the command-line counterpart. Linux systems however, have a chance of staying safe, but only as long as they are using case-sensitive file systems. In addition to the download packages for Windows and Mac, GitHub has released a set of new maintenance releases (v126.96.36.199, v1.9.5, v2.0.5, and v2.1.4) that all patch the vulnerability. The two major Git libraries, libgit2 and JGit, have also released new releases incorporating the fix.
This includes Visual Studio, a service which allows developers to build and store their projects in the cloud and connects to Eclipse, Xcode, and other Git clients. It is recommended that any third-party software that makes use of the libraries implement the fix and update as soon as possible.
The author Delwyn Pinto
A person proud to have an alternate view