Slashdot Mirror
Rogue Source Code Repos Can Compromise Mac Security Due To Old Git Version (softpedia.com)
An anonymous reader writes: Recent Mac versions come bundled with a very old version of Git (2.6.4) that is vulnerable to two security flaws that allow attackers to execute code on the device when the user forks a Git repo holding "malicious" code. The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs. "If you rely on machines like this, I am truly sorry. I feel for you," the researcher wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."
Well why can't you just compile a new git and stick it in your path?
sudo port install git
Not that complicated.
While I'm sure I could correct this as you describe, what I'm worried about is what impact this might have had on my checkout of the Rust programming language implementation's source code. As we all know, Rust's code is hosted on GitHub and its development is done there. If I checked out Rust on a Mac using the native git client does it mean that something could have happened with the Rust source code I checked out? Is there any way that I can verify that the Rust implementation code I have checked out is the correct code?
sudo port install git
echo "export PATH=/opt/local/bin:\$PATH" >> ~/.bashrc
Oh! The humanity!
(Requires https://www.macports.org/insta...)
As an aside, it's possible to override SIP, but it's a bit of a PITA.
First, you turn off System Integrity Protection by following the directions on Apple's Configuring System Integrity Protection page.
Then, you replace it (or any other program you want, including /System/Library/Kernels/kernel).
Then, if you want, you turn System Integrity Protection back on.
When you make a copy of a git repository on your machine, it's called "cloning" the repo. "Fork" is a GitHub buzzword.
I'm annoyed this is a problem and would like Apple to fix it, but using bullshit to spread a story is a bit counter-productive.
It's not old (about 4 months since release, mid-Dec 2015) and unless you're using integrated git in Xcode, very easy to upgrade via brew or macports.
.. and immediately thought it referred to: rogue(6) - exploring The Dungeons of Doom
What's next? wumpus implicated in a devastating yet thoroughly boring and tedious phishing attack?
It's called System Integrity Protection - intended to prevent the modification of system files that even root normally has no reason to touch. You can disable it, but honestly, you don't really need to.
Granted, it's a bummer that Apple hasn't tended to the Git client shipped with Xcode.
That said, I'd argue just about anyone who takes the trouble to install and use Xcode and the associated command line stuff that comes with it is going to know how to steer ($PATH) around (fink, macports) a problematic tool once informed about it.
She got this onto Slashdot, so the hard part is on its way to being handled: getting the word out.
Luke, help me take this mask off
Just because you're too stupid to install a package and modify a path doesn't mean everyone else is too. Your comment just showcases how much you don't know.
Does this mean that if your hardware vendor has a deity level above root then that is a bad thing?
134340: I am not a number. I am a free planet!
Because:
- Windows / Linux don't have security issues, and never have
- forking git repos containing malicious code is a real threat for the overwhelming majority of everyday Mac users
sudo port install nethack
In a band? Use WheresTheGig for free.
It's the punk "feature" that breaks mouse drivers on macs. Button 4 and button 5 for back and forward? No, no, use the $75 magic mouse (or whatever it costs) instead.
A flaw is a flaw and a shitty solution to have to implement is a shitty solution to have to implement. Get off Steve Jobs' necrotic dick.
brew install git
The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs.
Uh, it's not the repo that's under Apples control, it's the git application.
lol wat r u on about
It's not Apple's fault here. The git community developers completely and utterly botched this vulnerability. They announced it to the world, claiming it was fixed in 2.7.1 only to retract that a few days later after releasing 2.7.3 and then finally fixing it in 2.7.4. Apple released Xcode 7.3 just a couple days after git-2.7.4 was released, so it's no surprise that it doesn't contain the fix.
Had the git community actually disclosed companies ahead of the announcement (and better yet, had released a fix before the announcement, or even have been *accurate* in the announcent), the vulnerability likely would have been fixed in Xcode 7.3. As it is, developers need to wait for Apple to spin an updated version of Xcode for this fix.
The blame lies 100% on the git community for this debacle.
See https://marc.ttias.be/oss-security/2016-03/msg00195.php for more details about how they completely failed here.
Why is everyone so focused on replacing /usr/bin/git on their Mac? It's not git. It's just a stub that uses libxcselect to find git within Xcode:
$ otool -L /usr/bin/git /usr/bin/git: /usr/lib/libxcselect.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
If you really want to replace it, replace the one inside of Xcode:
$ xcrun -f git /Applications/Xcode.app/Contents/Developer/usr/bin/git
Or just wait for Apple to release an update with the fix, and go yell at the git developers for completely screwing up the disclosure of this vulnerability, thereby not giving companies time to prepare a release with the fix.
Der Timmy goes a twerking down the street singing "Do wa did e did e dum did e do." He so happy he GIT SOM evah day singing "Do wa did e did e dum did e do."
Ha ha Queers
brew install git .bash_profile to look like this:
vim ~/.bash_profile
OR whatever text editor you like
Modify your
export PATH="/Users/randalls/anaconda/bin:/usr/local/bin:$PATH"
Where /usr/local/bin is BEFORE $PATH, dont forget the colon.
Let me Google that for you: http://www.cyberciti.biz/hardware/laptop-computers-with-linux-installed-or-preloaded/
According to MacRumors (and presumably, Apple) and this image:
http://cdn.macrumors.com/article-new/2016/01/piechart.png
Mac Net Sales apparently accounts for just 9 PERCENT of Apple's revenues.
You see that other big slice of Apple pie? The 68 percent? Yeah, that's iPhone. Apple report earnings next week. If enough people weren't dazzled into buying that throwback iPhone 5SE - or new iPhones in general - then Apple stock may start behaving as if it doesn't have Steve Jobs at the helm. I think we have a performance chart for that already.
What does all of this have to do with git on Mac? Well, obviously they'll jump on it now (I would hope) since it's in the spotlight. But you can see why it's possible that your OSX may not be getting the love and attention that you're expecting, or that you've grown accustom to over all of those years and years of loyalty.
git 2.6.4 was released about a month before Xcode 7.3 beta was first seeded to developers. How does "one month old" equate to "very old"?
Do you want Apple to update versions of key components after starting the beta process just because the version number changes? git 2.7.0 came out just days before Xcode 7.3 beta1. It makes sense that they'd stick with 2.6.4 as it was a very stable version and there was no compelling reason to update until just a couple days before Xcode 7.3 was released.
they are all hands on their watch and phones
the sales are abit low this season / year..
maybe they don't have time or lack motivation to fix this issue
I'm macmini user since 2009, iphone / ipad user since 2010 but not for long .. I'm pissed of that Apple-moochie ( long list of poor QA sw in the last years .. ) and switch to linux / ubuntu.
distrowatch.com
https://forums.virtualbox.org/
Linux and BSD are there for anybody who thinks pretty homosexual aluminum apple silhouettes or Global Mother Fucking Spyware suck.
https://en.wikipedia.org/wiki/Berkeley_Software_Distribution
$ git --version
git version 2.6.3
$ brew update
$ brew upgrade git
$ git --version
git version 2.8.1
Back to my
git 1.9.3
Sounds like this won't be resolved until Apple releases its next Xcode update (or Command Line Tools for Xcode if you aren't using the IDE). Looking at previous release dates it seems that Apple releases new versions every three months and the previous version was released 21st of March 2016.
iApologist much?
lucm, indeed.
[not the original poster, just normal reading comprehension...]
(Probably) what he means is "Apple doesn't support more than 3 buttons on mice, unless it's their own overpriced $75 "magic mouse". Button 4 and 5 could be used (for example) for back and forward in a browser"
(Didn't even know that Macs support mice with more than one button, hehe, so 3 is already a neat progress...)
Try BetterTouchTool. It's a boss for mice and more.
Atlassian SourceTree isn't the greatest thing on earth, but it is parsecs better than the Xcode crap.
It also bundles a newer version of Git than the Mac (not 2.8, yet, but currently 2.7.4).
I work on a Mac in half a dozen languages and environments, so SourceTree gives me what I need to manage my repos.
Umm. . . USBOverdrive? Works nicely on El Capitan. All 8 buttons on my Logitech are mapped to useful functions.
Even the stock MS & Logitech drivers let you remap the extra buttons if you don’t want to shell out the $20 for USBOverdrive. USBOverdrive lets you setup keyboard & mouse macros per-application which can come in handy.
Macs have natively supported two- and three-button mice since Mac OS 8 in 1997. Mice with additional buttons work fine provided you have an appropriate driver for them, just like on Windows. If the manufacturer doesn't supply a driver for their extra buttons, there's third-party drivers that work with any USB HID compliant mouse. Logitech gaming mice, with all their buttons, work just fine on Mac OS X. Your troll is out of date...
Drivers... But what if some "punk" feature on your Mac prevents you from installing any drivers not blessed by Apple?
"Mice with additional buttons work fine provided you have an appropriate driver for them, just like on Windows."
I don't even need drivers in Windows. Yay fucking STANDARDS. Oh, Apple's never heard of those.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
What, you mean the USB HID standard that defines two axes of movement (X and Y) and three buttons? Or the Microsoft convention that certain buttons, on certain mice, should be mapped to forward and back—there being no actual standard for which USB HID button numbers should be mapped to those functions?
Apple builds themselves a walled garden, then utterly failed to prevent a fire from breaking out on the inside. This my friends is sweet poetic justice. A modern OS cannot exist in isolation like these hipster wannabes like to think it can. Apple is not omnipotent and it does not know what is best for you. Every informed Mac user I have ever met bought their system for the same reason, they don't want to take responsibility for their own security. Well guess what, that isn't possible and it never actually was.
Windows / Linux don't have security issues, and never have
I can very, very easily upgrade git on these operating systems, all by myself and without waiting on the OS vendor...
Get a real os, Linux rules!
GNUApologist much?
FTFY
Only in Internet parlance would something released 4 months ago be considered "very" old. There's literally a billion Android devices in the world that are susceptible to equal (and easier) attacks that are running software that is *years old* and will never be patched.
I take it you're from planet Seinfeld, where even what you manage to learn about life (generally frowned upon) does basically nothing to change your behaviour. In your haste to hew to "simplicity", one large worm MIRVed into multiple smaller worms, and you basically went (inside your own mind) "and the rest is fine print", without a whit of that thought making it to your fingers (heaven forbid that your 5m effort turn into a 5m30s effort).
Technical debt, meet treading-lightly-upon-the-fine-print debt. Back in the seventies, never a closet door was opened on a sitcom without twenty pounds of unused sports equipment cascading down from the storage shelf. And yet, in at least 50% of the buying public, a giant "on sale" tag attached to a racket handle still succeeded in disabling the part of the brain chanting quietly to itself "and where would I put it?"
Some people by nature tend to read the fine print. I'm one of those people, so I know how it goes. It's all too easy to slide into an enabling role, where half your day is spent—for little official credit—helping extract fine-print avoiders from the sports-sock snow pack when the karma closet finally comes tumbling down.
"Gosh, I had no idea snow could be so heavy."
"Would you like some rum with that? I've got this keg thing around my neck."
"I thought those were mechanical gills."
"No, the sound effects are made by a Raspberry Pi. It's actually a keg of rum."
"Wow, you're awfully prepared. I take it you do these rescues a lot?"
"Enough to learn how the pattern goes a hundred times over."
"How does it go?"
"Here's where it starts. Someone tosses off a quick 5m answer, without even noting that fine print exists, even if it only takes an extra ten words."
"But everyone knows that fine print exists."
"To judge by the state of your closet, you're a lapsed Catholic and I'm your indulgence."
"You sound bitter."
"Just a minor side effect of my cellulose diet."
Windows / Linux don't have security issues, and never have
I can very, very easily upgrade git on these operating systems, all by myself and without waiting on the OS vendor...
And yet you are too dumb to do it on a Mac - which makes you a computer expert. Impressive.
The most secure system is one with no inputs or outputs, and preferably no execution as well.
You are technically retarded. If you don't need ultra high security, don't use it. Don't pretend that there is no one who needs that level of security, or that there is some magic security mechanism you can apply which prevents malicious actions without impacting the user.
Depending on what you mean by "clean shutdown", you should just have to do some RBAC setup:
Edit /etc/security/exec_attr and add the following profile:
exec_attr:Shutdown:suser:cmd:::/usr/sbin/shutdown:uid=0;gid=1
Add this profile to /etc/user_attr :::: profiles=Shutdown
yourusername
Then your user can shutdown with /usr/bin/pfexec /usr/sbin/shutdown
Instructions taken from here.
As to the more general topic, all major OSes operate on the "Principle of Least Privilege", which in this case means discouraging casual use of the superuser account, or disabling it entirely. With apologies to Twain, "Suppose you were logged in as root all the time, and suppose you were an idiot. But, I repeat myself."
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
FWIW, the developer seed of Xcode 7.3.1 contains git 1.7.4.
Most decent programmers wil have updated their machine's git version using Homebrew. People who are not capable of doing it, probably won't even be using git in the first place. Also, it's possible to disable Apple's system protection by booting into recovery mode and running one or two commanda, thus giving root it's standard UNIX prerrogatives. Many users, myself included, choose to do this.
"I decided I could write something better than everything out there in two weeks. And I was right." - Linus Torvalds
"What, you mean the USB HID standard that defines two axes of movement (X and Y) and three buttons?"
Care to point out where it's limited to three buttons? Because my little cheap no-brand 7 button mouse from China has all buttons recognized, no drivers. Perhaps if you understood that the interface standard allows for having the report descriptor changed to show more buttons being present via the mouse firmware (and has been since.. 2001 at least) you might not have made such a crucial mistake.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Since when does "very old" qualify as an accurate description of a release that occurred just over 4 months ago? While I believe Apple should fix this (and it shouldn't really be that hard), I think it's a bit disingenuous to characterize what they distributed this way. Especially when Debian is still distributing (patched) 2.1.4!
"A Mathematician is a machine for turning coffee into theorems." ~ Paul Erdos
"Mice with additional buttons work fine provided you have an appropriate driver for them, just like on Windows."
I don't even need drivers in Windows.
You probably haven't notice that Windows tends to actually installs drivers from the net every other time you plug in a more-than-three-button mouse. At least when moving between docking stations at work it does. And that's when it actually detects USB mouse and keyboard for a change.
Of course news about a fake are Fake News.