Rogue Source Code Repos Can Compromise Mac Security Due To Old Git Version

An anonymous reader writes: Recent Mac versions come bundled with a very old version of Git (2.6.4) that is vulnerable to two security flaws that allow attackers to execute code on the device when the user forks a Git repo holding "malicious" code. The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs. "If you rely on machines like this, I am truly sorry. I feel for you," the researcher wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."

It's Impossible!!!

[konohitowa]

sudo port install git
echo "export PATH=/opt/local/bin:\$PATH" >> ~/.bashrc

Oh! The humanity!

(Requires https://www.macports.org/insta...)

As an aside, it's possible to override SIP, but it's a bit of a PITA.

Re:It's Impossible!!!

[93+Escort+Wagon]

Yup, boy howdy that was hard.

$ git --version
git version 2.6.4 (Apple Git-63)
$ fink install git
... chatty installation text ...
$ hash -r
$ which git
/sw/bin/git
$ git --version
git version 2.8.0
$

  But, still, it is annoying that a lot of the various standard developer tools provided by Apple are significantly older than their current counterparts on most other Unix systems.

Yes, you *can* replace /usr/bin/git

[Guy+Harris]

First, you turn off System Integrity Protection by following the directions on Apple's Configuring System Integrity Protection page.

Then, you replace it (or any other program you want, including /System/Library/Kernels/kernel).

Then, if you want, you turn System Integrity Protection back on.

Re:Compile and path

Because OS X resets PATH to the system defaults stored in /etc (which you can't edit for the same reason you can't update git) on anything launched by launchctl, which is basically anything you don't launch directly via the shell.

Not Apple's Fault

It's not Apple's fault here. The git community developers completely and utterly botched this vulnerability. They announced it to the world, claiming it was fixed in 2.7.1 only to retract that a few days later after releasing 2.7.3 and then finally fixing it in 2.7.4. Apple released Xcode 7.3 just a couple days after git-2.7.4 was released, so it's no surprise that it doesn't contain the fix.

Had the git community actually disclosed companies ahead of the announcement (and better yet, had released a fix before the announcement, or even have been *accurate* in the announcent), the vulnerability likely would have been fixed in Xcode 7.3. As it is, developers need to wait for Apple to spin an updated version of Xcode for this fix.

The blame lies 100% on the git community for this debacle.

See https://marc.ttias.be/oss-security/2016-03/msg00195.php for more details about how they completely failed here.

/usr/bin/git *ISN'T* git

Why is everyone so focused on replacing /usr/bin/git on their Mac? It's not git. It's just a stub that uses libxcselect to find git within Xcode:

$ otool -L /usr/bin/git /usr/bin/git: /usr/lib/libxcselect.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)

If you really want to replace it, replace the one inside of Xcode:

$ xcrun -f git /Applications/Xcode.app/Contents/Developer/usr/bin/git

Or just wait for Apple to release an update with the fix, and go yell at the git developers for completely screwing up the disclosure of this vulnerability, thereby not giving companies time to prepare a release with the fix.

Re:Compile and path

~/.profile won't work, because launchctl ignores it.

In OS X, programs that are launched from the GUI have never touched an actual shell. Their parent process is "launchd" and "launchd" is init. As I understand it, as of OS X 10.9, launchd simply hardcodes the PATH and entirely ignores the contents of /etc. Prior to that it would use /etc/environment or something like that (but not /etc/profile).

When you launch something from the Dock or double-clicking on it, it's launched via launchctl and that ultimately execs it off launchd. It never sees a shell and never sees ~/.profile.

So you can replace git and use a different git in shells you start, but if you want to prevent, say, an IDE from using the system git it finds via the PATH - you can't. There's no way to adjust the PATH that the majority of applications use.

Re:Compile and path

You can also update the system path with the following and reboot.

sudo launchctl config system path 'xxx'

Re:Compile and path

[Darinbob]

You can fix this stuff. True, the latest El Capitan crap tries to prevent root from doing some things but you can override it with the secret mantra easily found in web searches. Anyone using "git" on OSX is probably already using Mac Ports or something similar. The default tools that come with OSX or Xcode really only exist as an iOS development support system and can be ignored.

Re:She's Assuming Naive Devs, Then

[TheRaven64]

The version of bash shipped is the last GPLv2 version (plus patches). Apple doesn't ship any GPLv3 code.

Re:Very Old?

[Lumpy]

It's an apple hate story that actually is devoid of anything useful.