BT

New Early adopter or innovator? InfoQ has been working on some new features for you. Learn more

Critical Git and Mercurial Vulnerability on OS X and Windows

| by Sergio De Simone Follow 5 Followers on Dec 19, 2014. Estimated reading time: 2 minutes |

A critical security vulnerability affecting Git and Mercurial has been announced yesterday, that makes it possible for an attacker to execute arbitrary commands in the client machine. The vulnerability only affects clients running on OS X (HFS+) and Windows (NTFS, FAT). Both the Git core team and Mercurial team have published new releases (Git 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, and 2.2.1, Mercurial 3.2.3) fixing the vulnerability.

Junio C Hamano, Git maintainer since 2005, described the vulnerability in his blog:

Git maintains various meta-information for its repository in files in .git/ directory located at the root of the working tree. The system does not allow a file in that directory (e.g. .git/config) to be committed in the history of the project, or checked out to the working tree from the project. Otherwise, an unsuspecting user can run git pull from an innocuous-looking-but-malicious repository and have the meta-information in her repository overwritten, or executable hooks installed by the owner of that repository she pulled from (i.e., an attacker).

This protection has been found to be inadequate on case-insensitive file systems, continues Junio, since an attacker could commit, e.g., a .Git/anything file to have it replace a corresponding file in the .git directory. All versions of Windows using FAT or NTFS, and versions of OS X using case-insensitive HFS+, which is the default option, are thus vulnerable.

The vulnerability can be exploited also in other ways. Indeed, both Windows and OS X map "certain path components that are different from .git to .git, e.g. "git~1/config" on Windows and .g\u200cit/config on OS X are treated as if it were .git/config.

This vulnerability is not known to affect Linux systems, unless they use a case-insensitive file system, which is not a usual option.

Microsoft has released patches for their tools, including Visual Studio 2013 RTM, Visual Studio 2013 Update 4 and VS 2012 VSIX extension. Furthermore, although the vulnerability only affects clients, Microsoft "applied a patch both to VS Online and Codeplex that prevents the server from accepting pushes of .git\config files."

Apple has announced a new Xcode 6.2 beta3 release, too, to fix the vulnerability: "The checks involved in disallowed paths did not account for case insensitivity or unicode characters. This issue was addressed by adding additional checks."

Finally, GitHub announced that they "completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered," and implemented a change to make sure "Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability."

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

hg fix by Paw Baltzersen

A fix for Mercurial was release the 18th: mercurial.selenic.com/wiki/

Re: hg fix by Sergio De Simone

Thanks, I have added that info to the post.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

2 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT