Tuesday, April 19, 2016

Git Remote Code Execution Bug

The current Git version is 2.8.1. Xcode 7.3 comes with Git 2.6.4.

Rachel Kroll (via Hacker News):

git 2.6.4. Is anything wrong with that? Well, yeah, actually. Say hello to CVE-2016-2324 and CVE-2016-2315, present in everything before 2.7.1 according to the report. You should check this out.

Remote. Code. Execution.


Apple is doing something new which basically keeps you from twiddling certain system-level programs without going to fantastic lengths. Not even root is enough to do it. In short, you can’t just replace /usr/bin/git.


Companies like Apple and Microsoft prevent you from modifying the software installed on your computer to improve your security.

Ironically, when they do that, they also make it difficult, impractical, or impossible for you to upgrade or disable vulnerable software (in this case, an old, insecure version of git with remote-code-execution vulnerability).


/usr/bin/git is a “toolshim” that effectively calls “xcrun git” (it actually calls xcselect_invoke_xcrun, from /usr/lib/libxcselect.dylib, if you really want the details - this can be found by inspecting the binary). xcode-select’s manpage tells you that these shims call the respective binary in the active developer directory, whereas xcrun’s manpage describes its capabilities in more detail.


Imagine that you are a corp IT and managing a fleet of developers with Macs. You can push a newer version of git to them, and you can even change their default PATH so that the version of git you pushed are before the git comes with Apple. But you still cannot remove the one comes with Apple, and you cannot prevent it from being used.

Update (2016-05-06): The updated version of Git is finally in the release notes for Xcode 7.3.1 (Hacker News).

6 Comments RSS · Twitter

I'm using version of git compiled myself for many years, and didn't had any trouble when upgrading to El Capitan.
Isn't the Filesystem large enough that there is so much complains about not being be able to install and use your own copy without messing with the system copy ?

@Jean-Daniel You can install and use your own Git directly, but how do you prevent the system one from being used?

Xcode 7.3.1 is now available, including an updated version of git:

@Chris Great! Is that documented anywhere? The release notes don’t mention git.

Nathaniel Irons

The only documentation I've seen originated on Twitter, from a certain Chris L: https://twitter.com/clattner_llvm/status/722501792450228225

I looked into this, those shims look up an environment variable $DEVELOPER_DIR to see where to execute their equivalent tool via xcrun. I wrote a POC shell script allows you to type in "git HelloWorld", which spits out "Hello world!", and show under ps as /usr/bin/git


Leave a Comment