Git Vulnerability: Update Your Clients
The Git v2.2.1 release of December 18, 2014, patches a vulnerability as described in the announcement on the official Git mailing list. The purpose of this blog post is to (1) explain briefly what the vulnerability is, (2) assess the threat, and (3) explain how it affects users of Perforce Git Fusion.
First, the vulnerability affects only Windows and Mac users (not Linux), because of the way their file systems work. Without going into too much detail, the vulnerability makes it possible to force Git to overwrite its own .git/config file when cloning from a repository. A clever attacker could exploit this so that subsequent Git commands do at least unexpected if not downright unpleasant things.
Many Git users pay no attention to the contents of the usually-hidden .git folder, but it can be helpful to understand that the config file located there is the local repository configuration file. And just like the user’s configuration file, it may contain aliases that are expanded when commands are executed. As such, any vulnerability that makes it possible to overwrite this file is clearly A Bad Thing™.
To assess the threat, let’s consider the steps involved to exploit this vulnerability. To pull it off would require commit rights to a repository, the addition of a file with a name specifically tailored to leverage the affected file systems, and some intended victim to both pull from said repository and then execute something aliased in the newly-overwritten local configuration file. In short, it’s bad enough that affected users should immediately update their Git clients, but it isn’t the end of all things.
Perforce users may be reassured that the Git Fusion server is not itself vulnerable. Git Fusion runs on Linux, which has a case-sensitive file system that is not vulnerable, so updating your Git clients is all you need to protect yourself. So be sure to update all your Git clients and avoid falling prey to unwanted aliases in the New Year.