Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Git Security Vulnerability Announced

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes Github has announced a security vulnerability and has encouraged users to update their Git clients as soon as possible. The blog post reads in part: "A critical Git security vulnerability has been announced today, affecting all versions of the official Git client and all related software that interacts with Git repositories, including GitHub for Windows and GitHub for Mac. Because this is a client-side only vulnerability, github.com and GitHub Enterprise are not directly affected. The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine. Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem....Updated versions of GitHub for Windows and GitHub for Mac are available for immediate download, and both contain the security fix on the Desktop application itself and on the bundled version of the Git command-line client."

1 of 148 comments (clear)

  1. OS X - Case sensitive and sensationalism by BitZtream · · Score: 0, Redundant

    No developer worth mentioning runs OS X with a case insensitive file system, and there are only 2 sets of Applications that don't work on case sensitive file systems on OS X:
    Steam - because ... well I have no fucking idea why steam doesn't support case sensitive volumes on OS X when it does so on Linux
    Adobe * - Because according to Adobe the Apple development toolchain doesn't work right and so they can't support case sensitivity ... regardless of the fact that everyone else for OS X except Adobe and Valve are capable of doing so OUT OF THE BOX WITH NO MODIFICATIONS TO THEIR SOFTWARE ... oh and Adobe has never presented an example of how the tools are broken illustrating their problem, they just keep saying 'broken tools! broken tools!'

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager