If you use Git or GitHub then you need to upgrade you Git client to avoid a potential security breach. 

The problem affecting all versions of the Git client was announced yesterday. The vulnerability is trivial - an attacker can craft a Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository. This then causes the config file to execute any code that was supplied by the malicious repository. The config file can contain aliases for Git commands and hence the malicious config file can re-purpose Git commands for just about anything it wants to. This is the sense in which the attacker can execute almost any code they want. 

The cause of the problem is that it is perfectly OK to have a .Git/config, or any other capitalization of .git/config as a file and as part of the repository and it is treated as a standard folder different from .git/config which is outside of the repository. However, OSX and Windows use case insensitive file systems and the result is that .Git/config is the same as .git/config and so copying it overwrites the original .git/config. If you are working with Linux or Unix, or any case sensitive operating system, then the Git client works as planned. 

That is, on any operating system the Git client is "clever" enough to avoid copying .git/config in the repository over the real .git/config file, but it allows files like .Git/config to be copied and on those operating systems where case doesn't make a difference to file names the result is copying over .git/config.

If you are a bit surprised that such a stupid bug survived so long, then perhaps it is worth pointing out the Linux/Unix mind set is that different capitalizations are different symbols and Windows/OSX are both secondary to Linux. 

Overall the risk isn't that great, because anyone wanting to make use of the defect would have to have commit rights to create the malicious repository and thus you would probably have to work with a public repository. 

The solution is to install the latest versions of the Git client. There is also a problem with third party software that makes use of the libgit2 and JGit libraries and there are updates for these. 

GitHub is also affected by the problem and, as well as advising people to install the latest client, it has instituted a verification procedure that makes sure that they are not hosting any trees that contain folders that just a recapitalization of .git/config. Thus there can be no malicious public repositories on GitHub.

The moral is if you write programs that assume case sensitivity make sure you allow for operating systems that don't.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info