Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rogue Source Code Repos Can Compromise Mac Security Due To Old Git Version (softpedia.com)

Posted by BeauHD on from the deign-unto-thee dept.

An anonymous reader writes: Recent Mac versions come bundled with a very old version of Git (2.6.4) that is vulnerable to two security flaws that allow attackers to execute code on the device when the user forks a Git repo holding "malicious" code. The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs. "If you rely on machines like this, I am truly sorry. I feel for you," the researcher wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."

5 of 184 comments (clear)

  1. macports by feranick · · Score: 1, Insightful

    sudo port install git
    Not that complicated.

  2. Re:Yes, you *can* replace /usr/bin/git by Guy+Harris · · Score: 5, Insightful

    I'll get my grandmother on that.

    If your grandmother uses Git from the command line on her Mac, and would otherwise be capable of replacing /usr/bin/git, she might not find the extra steps described in Apple's document too problematic.

  3. Re: Yes, you *can* replace /usr/bin/git by Guy+Harris · · Score: 3, Insightful

    Apple thinks the users of their products are too stupid to handle root account.

    If you mean "Apple makes it hard to log in as root", true, but so what? About the only OS into which I log in as root these days is Solaris 10, and that's because they don't let you do a clean shutdown of the system as an ordinary user (unless I've missed something) - I use sudo or su in those cases where I need to do stuff as root.

    What makes Apple think their users understand SIP?

    Most of their users neither understand it nor need to understand it.

    Some of their users do need to understand it, and can understand it; that article is published for them.

  4. Re:Yes, you *can* replace /usr/bin/git by lucm · · Score: 1, Insightful

    Two points.

    1) forking github repos has long stopped being something that requires deep technical skills, it's basically the modern Download.com

    2) Apple products are supposed to be designed for regular people and Apple ecosystem is supposed to be closed so they can control quality. Fail and fail.

    --
    lucm, indeed.
  5. Re:Not Apple's Fault by shawn2772 · · Score: 4, Insightful

    The blame lies 100% on the git community for this debacle.

    That was true for a few days after the release of 2.7.4, maybe even a few weeks, if we're generous. But the blame gradually shifts to Apple as time goes on and they leave the vulnerability unpatched. By now, it's 100% on Apple. It's not as though Apple doesn't have a mechanism for delivering patches, either.