Menu
Critical vulnerability in Git clients puts developers at risk

Critical vulnerability in Git clients puts developers at risk

Malicious Git code repositories can execute rogue commands on client machines interacting with them

A critical vulnerability in client software used to interact with Git, a distributed revision control system for managing source code repositories, allows attackers to execute rogue commands on computers used by developers.

The flaw affects the official Git client as well as third-party clients and software based on the original Git code. The issue only affects implementations running on Windows and Mac OS X, not Linux, because their file systems are case-insensitive -- NTFS and FAT for Windows and HFS+ for Mac OS X.

"An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine," engineers from GitHub, a code repository hosting service, said in a blog post Thursday.

The desktop and command-line implementations of GitHub's own client software for Windows and Mac are affected and have been updated.

The Git development team released versions 1.8.5.6, 1.9.5, 2.0.5, 2.1.4, and 2.2.1 to address the flaw. Updates are also available for Git for Windows, also known as MSysGit, as well as the libgit2 and JGit libraries. Development software that use these libraries, such as Microsoft's Visual Studio, Apple's Xcode and Mercurial, have also been updated.

"We strongly encourage all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible, and to be particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts," the GitHub team said.

The company scanned all repositories hosted on GitHub for trees that might attempt to exploit this flaw, but didn't find any. It also implemented protections that prevent such repositories from being created in the future.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesintrusionGitHubsecurityExploits / vulnerabilities

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments