A critical Git vulnerability that affects all Git client versions as well as any software that interacts with Git repositories has been discovered.
Ken Westin, Sr. Technical Marketing Manager and Security Analyst at Tripwire, explains the nature of the bug: “This vulnerability has serious implications for developers and other users of the popular Git client utilities. If a vulnerable Git client connects to a remote Git server that has a malicious Git tree, attackers can overwrite a configuration file and use remote code execution to compromise the system.”
The vulnerability is client-based, meaning that neither github.com nor GitHub Enterprises are directly affected.
“Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability,” comments GitHub’s engineering team in a statement regarding the bug.
For this reason, Westin recommends that all users of Git on Mac and Windows update their Git clients immediately.
Updated versions of GitHub for Windows and GitHub for Mac are now available for download. Both patch the vulnerability on the Desktop application as well as on the Git command-line client.
Linux clients, on the other hand, are not affected as long as they are running case-sensitive filesystems.
In addition to the download packages for Windows and Mac, GitHub has released a set of new maintenance releases (v18.104.22.168, v1.9.5, v2.0.5, and v2.1.4) that all patch the vulnerability. The two major Git libraries, libgit2 and JGit, have also released new releases incorporating the fix. A number of third-party software use either or both of the libraries. This includes Visual Studio, a service which allows developers to build and store their projects in the cloud and connects to Eclipse, Xcode, and other Git clients. It is recommended that any third-party software that makes use of the libraries implement the fix and update as soon as possible.