Blog: How Tos

Git client – time to patch!

Pedro Venda 19 Dec 2014

git-update

No software is ever free from bugs and security vulnerabilities, such is life. Today is Git’s turn with CVE-2014-9390 – a serious vulnerability has been detected on Git client by which an attacker could be able to inject executable code onto the clients of a given repository.

This issue manifests in case insensitive file systems, in particular Windows and Mac OS X (HFS can be configured as case sensitive or insensitive, I forget which is the default). Most Linux distributions are OK providing that they are using one of the common established file systems such as ext3/4, btrfs, etc.

What’s the problem

In a nutshell the vulnerability resides in the fact that a repository’s configuration .git/config can be overwritten when clients who have their repositories in case insensitive file systems pull/merge commits from local or remote source. This configuration file contains options that can invoke shell commands, therefore the ability to modify it allows attackers to inject executable code on clients. By committing a file named .GiT/config with the injected code the attacker could cause vulnerable git clients to overwrite their .git/config thus incorporating the configuration changes issued by the attacker. Upon further invocations of git the injected code would be executed.

Conversely in a case sensitive file system, .GiT/config and .git/config are different files and the attacker’s commit will not overwrite the client’s configuration file. Git already had mechanisms that prevented overwriting .git/config.

In practice, an attacker could exploit its read-write privileges to push a modified .GIT/config with malicious code with the purpose of overwriting vulnerable clients .git/config and cause them to execute the injected code. Due to the nature of Git I do not see a way of achieving this without the change being fully logged as with any other commit, so it would be easy to find out whether this type of attack had occurred.

Update to fix it

The vulnerability was revealed upon the release of patched versions of Git, therefore all that users need to do is to update their client to the latest available version. Each current version has been updated in their latest maintenance release to mitigate this issue:

git 1.8 – 1.8.5.6
git 1.9 – 1.9.5
git 2.0 – 2.0.5
git 2.1 – 2.1.4
git 2.2 – 2.2.1
MSysGit – 1.9.5
libgit2 0.21.3
JGit 3.5.3.201412180710-r

Any software that uses Git could also be vulnerable but might not be easy to patch especially if the Git client is bundled with the software. In these cases it would be a good idea to consult with the vendor for a patch or an updated release.

For more information, please see the following references: