Application Security

Major Git Security Vulnerability Discovered Causing GitHub to Encourage Update to Git Clients

18 Dec 2014 2:11pm, by

A major Git security vulnerability has been discovered and has forced GitHub to issue a warning and request for users to update their Git clients.

According to a GitHub blog post, the vulnerability affects “all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. ”

Due to the vulnerability, GitHub is encouraging all of its users of GitHub and GitHub Enterprise to update their Git clients and be “particularly careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.”

Here’s how the vulnerability works:

Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.

Bryan Helmkamp, CEO and Founder of CodeClimate said the attacks are significant for a number of reasons:

The blog post explains that Github verifies and blocks malicious trees that trigger the vulnerability. They say that means repositories on github.com are protected. To further address the issue, GitHub has done a scan of existing content on github.com  in search of “malicious content that might have been pushed to our site before this vulnerability was discovered.”

Updated versions of GitHub for Windows and GitHub for Mac are available for download.

According to GitHub, more details on the vulnerability can be found in the official Git mailing list announcement and on the git-blame blog.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.