A critical vulnerability affecting all versions of the official Git client and all related software that interacts with Git repositories has been found and patched, and developers are advised to update their software as soon as possible.
“An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” GitHub’s Vincent Marti explained.
Only Windows and OS X Git clients are affected. Github.com and GitHub Enterprise are not.
Technically, this vulnerability only affects developers who pull from repositories where they don’t know and don’t trust the people who are allowed to update them. Still, they are all advised to implement the update, and to be careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.
There is currently no indication that the bug is being exploited in the wild.
“Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push,” noted Marti. “We have also completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.”
He also helpfully included links to the updated versions of the GitHub clients, Git, Git for Windows and the libgit2 and JGit Git libraries.