A critical security vulnerability affecting Git and Mercurial has been announced yesterday, that makes it possible for an attacker to execute arbitrary commands in the client machine. The vulnerability only affects clients running on OS X (HFS+) and Windows (NTFS, FAT). Both the Git core team and Mercurial team have published new releases (Git 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, and 2.2.1, Mercurial 3.2.3) fixing the vulnerability.
Junio C Hamano, Git maintainer since 2005, described the vulnerability in his blog:
Git maintains various meta-information for its repository in files in.git/ directory located at the root of the working tree. The system does not allow a file in that directory (e.g..git/config) to be committed in the history of the project, or checked out to the working tree from the project. Otherwise, an unsuspecting user can run git pull from an innocuous-looking-but-malicious repository and have the meta-information in her repository overwritten, or executable hooks installed by the owner of that repository she pulled from (i.e., an attacker).
This protection has been found to be inadequate on case-insensitive file systems, continues Junio, since an attacker could commit, e.g., a .Git/anything file to have it replace a corresponding file in the .git directory. All versions of Windows using FAT or NTFS, and versions of OS X using case-insensitive HFS+, which is the default option, are thus vulnerable.
The vulnerability can be exploited also in other ways. Indeed, both Windows and OS X map "certain path components that are different from .git to .git, e.g. "git~1/config" on Windows and .g\u200cit/config on OS X are treated as if it were .git/config.
This vulnerability is not known to affect Linux systems, unless they use a case-insensitive file system, which is not a usual option.
Microsoft has released patches for their tools, including Visual Studio 2013 RTM, Visual Studio 2013 Update 4 and VS 2012 VSIX extension. Furthermore, although the vulnerability only affects clients, Microsoft "applied a patch both to VS Online and Codeplex that prevents the server from accepting pushes of .git\config files."
Apple has announced a new Xcode 6.2 beta3 release, too, to fix the vulnerability: "The checks involved in disallowed paths did not account for case insensitivity or unicode characters. This issue was addressed by adding additional checks."
Finally, GitHub announced that they "completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered," and implemented a change to make sure "Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability."