{"id":14218,"date":"2016-04-19T09:41:12","date_gmt":"2016-04-19T13:41:12","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=14218"},"modified":"2021-09-27T15:51:24","modified_gmt":"2021-09-27T19:51:24","slug":"git-remote-code-execution-bug","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2016\/04\/19\/git-remote-code-execution-bug\/","title":{"rendered":"Git Remote Code Execution Bug"},"content":{"rendered":"<p>The current Git version is 2.8.1. Xcode 7.3 comes with Git 2.6.4.<\/p>\n\n<p><a href=\"http:\/\/rachelbythebay.com\/w\/2016\/04\/17\/unprotected\/\">Rachel Kroll<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=11517894\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"http:\/\/rachelbythebay.com\/w\/2016\/04\/17\/unprotected\/\"><p>git 2.6.4. Is anything wrong with that? Well, yeah, actually. Say hello to CVE-2016-2324 and CVE-2016-2315, present in everything before 2.7.1 according to the report. You should check this out.<\/p>\n<p><a href=\"http:\/\/www.openwall.com\/lists\/oss-security\/2016\/03\/15\/5\">Remote.  Code.  Execution.<\/a><\/p>\n<p>[&#8230;]<\/p>\n<p>Apple is doing something new which basically keeps you from twiddling certain system-level programs without going to fantastic lengths. Not even root is enough to do it. In short, you can&rsquo;t just replace \/usr\/bin\/git.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=11517894\">cs702<\/a>:<\/p>\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=11517894\">\n<p>Companies like Apple and Microsoft prevent you from modifying the software installed on your computer to improve your security.<\/p>\n<p>Ironically, when they do that, they also make it difficult, impractical, or impossible for you to upgrade or disable vulnerable software (in this case, an old, insecure version of git with remote-code-execution vulnerability).<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=11522969\">joushou<\/a>:<\/p>\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=11522969\"><p>\/usr\/bin\/git is a &ldquo;toolshim&rdquo; that effectively calls &ldquo;xcrun git&rdquo; (it actually calls xcselect_invoke_xcrun, from \/usr\/lib\/libxcselect.dylib, if you really want the details - this can be found by inspecting the binary). xcode-select&rsquo;s manpage tells you that these shims call the respective binary in the active developer directory, whereas xcrun&rsquo;s manpage describes its capabilities in more detail.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=11521481\">fishywang<\/a>:<\/p>\n<blockquote cite=\"https:\/\/news.ycombinator.com\/item?id=11521481\"><p>Imagine that you are a corp IT and managing a fleet of developers with Macs. You can push a newer version of git to them, and you can even change their default PATH so that the version of git you pushed are before the git comes with Apple. But you still cannot remove the one comes with Apple, and you cannot prevent it from being used.<\/p><\/blockquote>\n\n<p>Update (2016-05-06): The updated version of Git is <a href=\"http:\/\/rachelbythebay.com\/w\/2016\/05\/05\/xcode\/\">finally<\/a> in the <a href=\"https:\/\/developer.apple.com\/library\/mac\/releasenotes\/DeveloperTools\/RN-Xcode\/Chapters\/Introduction.html#\/\/apple_ref\/doc\/uid\/TP40001051\">release notes<\/a> for Xcode 7.3.1 (<a href=\"https:\/\/news.ycombinator.com\/item?id=11643829\">Hacker News<\/a>).<\/p>","protected":false},"excerpt":{"rendered":"<p>The current Git version is 2.8.1. Xcode 7.3 comes with Git 2.6.4. Rachel Kroll (via Hacker News): git 2.6.4. Is anything wrong with that? Well, yeah, actually. Say hello to CVE-2016-2324 and CVE-2016-2315, present in everything before 2.7.1 according to the report. You should check this out. Remote. Code. Execution. [&#8230;] Apple is doing something [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2021-09-27T19:51:28Z","apple_news_api_id":"c2f27588-ed9e-4cab-962f-6db04e6f37be","apple_news_api_modified_at":"2021-09-27T19:51:28Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AwvJ1iO2eTKuWL22wTm83vg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,377,48,226],"class_list":["post-14218","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-git","tag-security","tag-xcode"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=14218"}],"version-history":[{"count":6,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14218\/revisions"}],"predecessor-version":[{"id":33745,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14218\/revisions\/33745"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=14218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=14218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=14218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}