BT

InfoQ Homepage News Critical Git and Mercurial Vulnerability on OS X and Windows

Critical Git and Mercurial Vulnerability on OS X and Windows

Bookmarks

A critical security vulnerability affecting Git and Mercurial has been announced yesterday, that makes it possible for an attacker to execute arbitrary commands in the client machine. The vulnerability only affects clients running on OS X (HFS+) and Windows (NTFS, FAT). Both the Git core team and Mercurial team have published new releases (Git 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, and 2.2.1, Mercurial 3.2.3) fixing the vulnerability.

Junio C Hamano, Git maintainer since 2005, described the vulnerability in his blog:

Git maintains various meta-information for its repository in files in .git/ directory located at the root of the working tree. The system does not allow a file in that directory (e.g. .git/config) to be committed in the history of the project, or checked out to the working tree from the project. Otherwise, an unsuspecting user can run git pull from an innocuous-looking-but-malicious repository and have the meta-information in her repository overwritten, or executable hooks installed by the owner of that repository she pulled from (i.e., an attacker).

This protection has been found to be inadequate on case-insensitive file systems, continues Junio, since an attacker could commit, e.g., a .Git/anything file to have it replace a corresponding file in the .git directory. All versions of Windows using FAT or NTFS, and versions of OS X using case-insensitive HFS+, which is the default option, are thus vulnerable.

The vulnerability can be exploited also in other ways. Indeed, both Windows and OS X map "certain path components that are different from .git to .git, e.g. "git~1/config" on Windows and .g\u200cit/config on OS X are treated as if it were .git/config.

This vulnerability is not known to affect Linux systems, unless they use a case-insensitive file system, which is not a usual option.

Microsoft has released patches for their tools, including Visual Studio 2013 RTM, Visual Studio 2013 Update 4 and VS 2012 VSIX extension. Furthermore, although the vulnerability only affects clients, Microsoft "applied a patch both to VS Online and Codeplex that prevents the server from accepting pushes of .git\config files."

Apple has announced a new Xcode 6.2 beta3 release, too, to fix the vulnerability: "The checks involved in disallowed paths did not account for case insensitivity or unicode characters. This issue was addressed by adding additional checks."

Finally, GitHub announced that they "completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered," and implemented a change to make sure "Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability."

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.