Git Client Allows Malicious Code Execution
Developers who use the official Git client and related software are being urged to install a security update that kills a bug that could allow attackers to hijack end-user computers.
An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” Thursday’s advisory warned. “Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.
You can download the new patched version and read up on the security fixes @ http://article.gmane.org/
We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts,” Vincent Marti from GitHub wrote.
In addition, the following updated versions of Git address this vulnerability:
The Git core team has announced maintenance releases for all current versions of Git (v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, and v2.2.1).
Git for Windows (also known as MSysGit) has released maintenance version 1.9.5.
The two major Git libraries, libgit2 and JGit, have released maintenance versions with the fix. Third party software using these libraries is strongly encouraged to update
We still don’t know how many systems and if there were any which was exploited, we strongly recommend that you patch your system as soon as possible.
