Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rogue Source Code Repos Can Compromise Mac Security Due To Old Git Version (softpedia.com)

Posted by BeauHD on from the deign-unto-thee dept.

An anonymous reader writes: Recent Mac versions come bundled with a very old version of Git (2.6.4) that is vulnerable to two security flaws that allow attackers to execute code on the device when the user forks a Git repo holding "malicious" code. The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs. "If you rely on machines like this, I am truly sorry. I feel for you," the researcher wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."

5 of 184 comments (clear)

  1. Yes, you *can* replace /usr/bin/git by Guy+Harris · · Score: 5, Informative

    First, you turn off System Integrity Protection by following the directions on Apple's Configuring System Integrity Protection page.

    Then, you replace it (or any other program you want, including /System/Library/Kernels/kernel).

    Then, if you want, you turn System Integrity Protection back on.

    1. Re:Yes, you *can* replace /usr/bin/git by Guy+Harris · · Score: 5, Insightful

      I'll get my grandmother on that.

      If your grandmother uses Git from the command line on her Mac, and would otherwise be capable of replacing /usr/bin/git, she might not find the extra steps described in Apple's document too problematic.

  2. Re:Compile and path by Anonymous Coward · · Score: 5, Informative

    Because OS X resets PATH to the system defaults stored in /etc (which you can't edit for the same reason you can't update git) on anything launched by launchctl, which is basically anything you don't launch directly via the shell.

  3. Simple fix to old rogue source code issue by helixcode123 · · Score: 5, Funny

    sudo port install nethack

    --

    In a band? Use WheresTheGig for free.

  4. Not Apple's Fault by Anonymous Coward · · Score: 5, Informative

    It's not Apple's fault here. The git community developers completely and utterly botched this vulnerability. They announced it to the world, claiming it was fixed in 2.7.1 only to retract that a few days later after releasing 2.7.3 and then finally fixing it in 2.7.4. Apple released Xcode 7.3 just a couple days after git-2.7.4 was released, so it's no surprise that it doesn't contain the fix.

    Had the git community actually disclosed companies ahead of the announcement (and better yet, had released a fix before the announcement, or even have been *accurate* in the announcent), the vulnerability likely would have been fixed in Xcode 7.3. As it is, developers need to wait for Apple to spin an updated version of Xcode for this fix.

    The blame lies 100% on the git community for this debacle.

    See https://marc.ttias.be/oss-security/2016-03/msg00195.php for more details about how they completely failed here.