UPDATED 12:50 EDT / DECEMBER 19 2014

GitHub urges developers to patch critical Git client bug

GitHub BugGitHub has revealed the existence of a flaw in its client software, and is recommending users upgrade to a new version as soon as possible.

The vulnerability first announced at GMANE, and it was later confirmed by GitHub itself, which simultaneously issued a patch. It’s recommending “all users of GitHub and GitHub Enterprise update their Git clients as soon as possible.”

The critical flaw is said to affect all Windows and Mac-based versions of the official Git client, as well as related software that interacts with Git repositories, said GitHub in an advisory published on Thursday. Attackers can exploit the bug to remotely execute malicious code when the client software accesses compromised Git repositories.

“An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” warned GitHub. “Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem.”

Technically speaking, the vulnerability should only be of concern to developers who pull resources from repositories they don’t trust. Nevertheless, every user is being urged to implement the new update as soon as possible, and to be careful when attempting to access or clone Git repositories on unsafe or untrusted hosts.

GitHub says there’s no indication that the bug is being exploited in the wild, but now it’s become public knowledge it’s a sure bet that someone will try. One good piece of news is that repositories located on Github.com itself aren’t affected by the bug, because the site uses a verification process to scan for malicious content. However, there are many other sites hosting repositories that don’t implement this security measure.

In other words, all Git users should update now just to be on the safe side. The newly patched GitHub for Windows can be found here, while GitHub for Mac can be downloaded here.

photo credit: JeremyHall via photopin cc


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU