Git Vulnerability on Mac OS X and Windows
18 Dec 2014Today the Git core team announced a security vulnerability and a corresponding fix. Hats off to the Mercurial team (yes, Mercurial!) for finding the problem. Hats off to the Git team for making the announcement, and for delivering a fix so quickly.
What’s the Problem?
If your Git installation remains un-patched, then a malicious person could over-write the .git/config directory in one of your repositories. This would allow them to alter your Git history and make changes in the repo without your knowledge. Details.
The vulnerability exists on Mac OS X and Microsoft Windows. This article will discuss solving the problem on Mac OS X only, since that is my primary development platform.
Mac and Windows users are exposed because their file systems are not case-sensitive by default. Linux users who use a case-sensitive file system are protected. But Linux users might want to apply the patch anyway because (as stated by the Git core team):
Even though the issue may not affect Linux users, if you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git.
~Git Core Team
Is My Machine Vulnerable?
I know that my machine was vulnerable because I was running an un-patched version of Git, as seen below.
~$ git --version
git version 2.1.3
~$
How to Upgrade
Homebrew makes it easy to install and maintain Git. First, update Homebrew…
~$ brew update
Updated Homebrew from d243310d to a6ab9f13.
==> New Formulae
abi-compliance-checker deis glbinding
asciinema distribution rbenv-bundle-exec
ctunnel game-music-emu restund
==> Updated Formulae
abcm2ps jags
afl-fuzz jansson
...
~$
Then, upgrade Git…
~$ brew upgrade git
==> Upgrading 1 outdated package, with result:
git 2.2.1
==> Upgrading git
==> Downloading https://downloads.sf.net/project/machomebrew/Bottles/git-2.2.1.y
######################################################################## 100.0%
==> Pouring git-2.2.1.yosemite.bottle.tar.gz
==> Caveats
The OS X keychain credential helper has been installed to:
/usr/local/bin/git-credential-osxkeychain
The "contrib" directory has been installed to:
/usr/local/share/git-core/contrib
Bash completion has been installed to:
/usr/local/etc/bash_completion.d
zsh completion has been installed to:
/usr/local/share/zsh/site-functions
==> Summary
/usr/local/Cellar/git/2.2.1: 1356 files, 31M
~$
… and finally, verify that the patched version is in use.
~$ git --version
git version 2.2.1
~$
Avoid Conflicts With Apple’s Git
As Kristjan Cocev notes in the comments below, Mac OS X comes with its own Git installation. By the time you bought the machine, that pre-installed version is probably out of date. My pre-installed Git was:
~$ /usr/bin/git --version
git version 1.9.3 (Apple Git-50)
~$
Apple’s pre-installed Git isn’t bad, but here’s the problem. Depending on how your PATH variable is setup, there might be a conflict between Apple-installed Git and the one you installed via Homebrew.
Here are two alternatives for fixing the conflict before it causes problems.
- Change your
PATHvariable so that Homebrew-installed Git is executed long before Apple-installed Git gets reached, OR… - Rename Apple-installed Git as follows:
~$ sudo mv /usr/bin/git /usr/bin/git-apple
Password:
~$
So now, if you want to use Apple’s pre-installed Git (unlikely) you can simply navigate to /usr/bin/git-apple.
Open Source Rocks
Again, hats off to everyone in the open source community who pulled together to make this fix happen!