7

The recent git remote execution vulnerability states all git clients with version <2.7.1 are vulnerable and that most linux distributions have included the fixes already.

However, as of today, 

$ git --version
git version 2.6.4 (Apple Git-63)
$

on an up-to-date, out of the box Mac OS X dev machine.

Does this then leave most of the developers on Mac OS X that are using the apple developer tools out of the box vulnerable to this attack?

What can be done, other than

  • manually installing an newer git client or
  • not using git for foreign repositories at the moment?
Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • Your question appears to be if using old software with a known security issue is a security risk – Phil Lello Mar 24 '16 at 20:08
  • 1
    My question is: What can be done when the software from the default ecosystem is old and no security fixes are provided? – Tobi Nary Mar 24 '16 at 21:06
  • 1
    If that is your question, you need to edit your title. Secondly, at the time of this writing, there is no higher version than the one you have installed for Macs. The only options are the ones you outlined. – schroeder Mar 25 '16 at 00:03
  • Apple's version number of an executable does not necessarily correspond to the "mainstream" version numbers of an executable, as Apple's forks sometimes get security fixes to older versions. But I don't want to confuse the issue here because I'm pretty sure git is **not** one of them, and `git version 2.6.4 (Apple Git-63)` **does** indicate the bug is unfixed. – Steven Fisher Apr 18 '16 at 19:18

1 Answers1

5

Most developers I know who are using OS X are using Homebrew for a variety of reasons; in addition to providing easy installation of tools not available from Apple, the updated versions of Apple-provided tools provide bugfixes and security fixes. And yes, Homebrew is currently distributing git 2.7.4.

Xiong Chiamiov
  • 9,384
  • 2
  • 34
  • 76
  • Right; that's covered by "manually installing a newer version of git", or at least I thought it would be (that's what I have done;)) – Tobi Nary Mar 24 '16 at 20:09
  • It depends on what you consider manual. It's certainly less manual than downloading the git source and compiling it. It *is* more manual than running Apple's global software update, but only if you haven't already installed it via homebrew, in which case it will get included in a 'brew upgrade' along with anything else out of date. So I guess my perspective is that, for things Apple doesn't really care about, *pro-actively* it's a good idea to install them through a system like Homebrew so that you'll be prepared in the case of a vulnerability like this one. – Xiong Chiamiov Mar 25 '16 at 17:36
  • That might pretty much cover all of apples' tools that come bundled with Xcode. – Tobi Nary Mar 25 '16 at 18:03
  • 2
    My question is whether using homebrew to update git will fully protect an end user. I can see that the `$PATH` variable has `/usr/local/bin` first, so no problem there for command line usage. However, not sure whether Xcode and other tools like SourceTree and Kraken would be protected? Opinion on that would be very appreciated. – Scott Corscadden Apr 19 '16 at 12:28
  • 1
    Update: `brew install git` works just fine, but `xcrun --find git` still resolves to `/Applications/Xcode.app/Contents/Developer/usr/bin/git` sadly. – Scott Corscadden Apr 19 '16 at 12:50