Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Desktops (Apple) Security IOS OS X Privacy Software Apple News Build Hardware

Rogue Source Code Repos Can Compromise Mac Security Due To Old Git Version (softpedia.com) 184

An anonymous reader writes: Recent Mac versions come bundled with a very old version of Git (2.6.4) that is vulnerable to two security flaws that allow attackers to execute code on the device when the user forks a Git repo holding "malicious" code. The problem is that users can't upgrade this Git repo, they can't change its runtime permissions, nor can they remove it because Apple blocks even root users from twiddling with some system-level programs. "If you rely on machines like this, I am truly sorry. I feel for you," the researcher wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."
This discussion has been archived. No new comments can be posted.

Rogue Source Code Repos Can Compromise Mac Security Due To Old Git Version

Comments Filter:
  • Compile and path (Score:3, Interesting)

    by Moblaster ( 521614 ) on Monday April 18, 2016 @08:52PM (#51936933)
    Well why can't you just compile a new git and stick it in your path?
    • Re:Compile and path (Score:5, Informative)

      by Anonymous Coward on Monday April 18, 2016 @09:17PM (#51937081)

      Because OS X resets PATH to the system defaults stored in /etc (which you can't edit for the same reason you can't update git) on anything launched by launchctl, which is basically anything you don't launch directly via the shell.

      • Re:Compile and path (Score:4, Informative)

        by Darinbob ( 1142669 ) on Tuesday April 19, 2016 @12:55AM (#51937929)

        You can fix this stuff. True, the latest El Capitan crap tries to prevent root from doing some things but you can override it with the secret mantra easily found in web searches. Anyone using "git" on OSX is probably already using Mac Ports or something similar. The default tools that come with OSX or Xcode really only exist as an iOS development support system and can be ignored.

        • by jeremyp ( 130771 )

          The default tools that come with OSX or Xcode really only exist as an iOS development support system and can be ignored.

          Yes, and I do. However, if you use the git integration of Xcode itself, it is hard coded to use the built in to Xcode version of git i.e. the vulnerable one.

          Of course, nobody in their right mind uses the Xcode source control because it is rubbish.

  • macports (Score:2, Insightful)

    by feranick ( 858651 )
    sudo port install git
    Not that complicated.
  • It's Impossible!!! (Score:5, Informative)

    by konohitowa ( 220547 ) on Monday April 18, 2016 @09:03PM (#51936991) Journal

    sudo port install git
    echo "export PATH=/opt/local/bin:\$PATH" >> ~/.bashrc

    Oh! The humanity!

    (Requires https://www.macports.org/insta... [macports.org])

    As an aside, it's possible to override SIP, but it's a bit of a PITA.

    • by 93 Escort Wagon ( 326346 ) on Monday April 18, 2016 @10:08PM (#51937341)

      Yup, boy howdy that was hard.


      $ git --version
      git version 2.6.4 (Apple Git-63)
      $ fink install git
      ... chatty installation text ...
      $ hash -r
      $ which git
      /sw/bin/git
      $ git --version
      git version 2.8.0
      $

        But, still, it is annoying that a lot of the various standard developer tools provided by Apple are significantly older than their current counterparts on most other Unix systems.

    • by fnj ( 64210 )

      sudo port install git
      echo "export PATH=/opt/local/bin:\$PATH" >> ~/.bashrc

      Oh, how clever. You've built in a dependency on the shell being bash and no other. Also, that won't affect the PATH seen by cron jobs.

      • Oh, how droll. You assume /.-ers are imbeciles incapable of handling the command line.

        • by Khyber ( 864651 )

          Most current /.ers certainly can't handle the command line. They were born in the age of the GUI.

          How thoughtless of you.

    • by jeremyp ( 130771 )

      You don't need the second line. MacPorts automatically adds the correct path to your profile to make it override the built in tools.

  • by Guy Harris ( 3803 ) <guy@alum.mit.edu> on Monday April 18, 2016 @09:03PM (#51936993)

    First, you turn off System Integrity Protection by following the directions on Apple's Configuring System Integrity Protection [apple.com] page.

    Then, you replace it (or any other program you want, including /System/Library/Kernels/kernel).

    Then, if you want, you turn System Integrity Protection back on.

    • I'll get my grandmother on that.
      • by Guy Harris ( 3803 ) <guy@alum.mit.edu> on Monday April 18, 2016 @09:23PM (#51937107)

        I'll get my grandmother on that.

        If your grandmother uses Git from the command line on her Mac, and would otherwise be capable of replacing /usr/bin/git, she might not find the extra steps described in Apple's document too problematic.

      • If your grandmother is checking out code from a git repository (and much kudos to her if so) then she won't have a problem disabling SIP...

        • Re: (Score:2, Insightful)

          by lucm ( 889690 )

          Two points.

          1) forking github repos has long stopped being something that requires deep technical skills, it's basically the modern Download.com

          2) Apple products are supposed to be designed for regular people and Apple ecosystem is supposed to be closed so they can control quality. Fail and fail.

          • by Aaden42 ( 198257 )

            1) forking github repos has long stopped being something that requires deep technical skills, it’s basically the modern Download.com

            What universe are you living in? I’m pretty confident saying that zero of the humans I know who don’t work directly in programming-related IT fields don’t even know what ‘git’ is. The British non-coder folks I know might think I’ve just insulted them, but other than that, blank faces all around.

            That kind of thinking from a rarified en

          • Away bollocks. You're just trying to score cheap points.

            There is no way my mother (not speaking for OP's grandmother here) will ever open Terminal.app, let alone type in 'git clone xxxxx'. She doesn't know what 'download.com' *is*. For people like my mother, Apple computers are indeed better.

            For tech-savvy developers (i.e. People who know what './configure' is, or 'make', following the step-by-step instructions for disabling SIP is trivial. Or, you know, they can just install macports (standard install pack

            • "For people like my mother, Apple computers are indeed better."

              Maybe. Maybe not.

              Someone is going to have to support Mom's computer. If it's a Mac, that person will have to be one level more savvy to get around Apple's user protective stuff. i.e. I won't be able to keep Mom's machine working because all the extra junk is one step beyond my knowledge. I'm not a developer - just a user who has figured out that the non-proprietary OSs are the sweet spot for user maintenance. Add proprietary and easy mai

              • My mother has a Mac. She's 6000 miles away. Number of support calls needed over the past several years ? 0.

                I installed it at Xmas one year when I was over there, and since then have had zero trouble with it. Now my brother has to maintain my father's PC now and then (example: he clicked the UPS email when UPS were indeed delivering that day), but *fortunately* he's only a couple of hundred miles away /s

                I stand by the statement. For people like my mother, Apple computers are indeed better.

            • by lucm ( 889690 )

              But hey, let's bash Apple huh ?

              There has been no Apple bashing in this thread. Not getting on one's knees to worship Apple is not the same as bashing Apple.

              You remind me of those people who say they've been cyber-bullied because nobody "Liked" a comment they posted.

              • From the post above mine, which I was replying to:

                "Apple products are supposed to be designed for regular people and Apple ecosystem is supposed to be closed so they can control quality. Fail and fail."

                "Fail and fail" is generally considered to be uncomplimentary. Just FYI.

                • by lucm ( 889690 )

                  "Fail and fail" is generally considered to be uncomplimentary. Just FYI.

                  And you consider that bashing? Have you been raised by hippies?

                  • I'm not sure what hippies are, so I doubt it, but I do understand what politeness and manners (and their opposites) are.

      • Lol, your grandmother is regularly forking unknown source repos? Because if so, she can handle fixing it....
      • by Anonymous Coward

        You should. She apparently already installed Xcode and is forking various git repos.

      • by kuzb ( 724081 )

        ...just as soon as you finish training her to use version control.

  • by Anonymous Coward

    When you make a copy of a git repository on your machine, it's called "cloning" the repo. "Fork" is a GitHub buzzword.

  • by Anonymous Coward

    I'm annoyed this is a problem and would like Apple to fix it, but using bullshit to spread a story is a bit counter-productive.

    It's not old (about 4 months since release, mid-Dec 2015) and unless you're using integrated git in Xcode, very easy to upgrade via brew or macports.

  • Granted, it's a bummer that Apple hasn't tended to the Git client shipped with Xcode.

    That said, I'd argue just about anyone who takes the trouble to install and use Xcode and the associated command line stuff that comes with it is going to know how to steer ($PATH) around (fink, macports) a problematic tool once informed about it.

    She got this onto Slashdot, so the hard part is on its way to being handled: getting the word out.

    • by fnj ( 64210 )

      Granted, it's a bummer that Apple hasn't tended to the Git client shipped with Xcode.

      Also, just as one more example, even as of OSX 10.10 Yosemite, the shipped version of bash is prehistoric.

    • Sounds like this won't be resolved until Apple releases its next Xcode update (or Command Line Tools for Xcode if you aren't using the IDE). Looking at previous release dates it seems that Apple releases new versions every three months and the previous version was released 21st of March 2016.

    • by Etcetera ( 14711 )

      Are there any other kind?

      *rimshot*

      There are only three types of people I know who locally develop on Macs:
      1) Devs developing a native Mac or iOS application
      2) Devs who need to make substantive code changes (or test cycles) when they're off line
      3) Devs who don't know how to log in to a remote server to do their development

      For #1, you have my sympathies. #2 should go head to a bar, or spend time with the family instead of working after hours. #3 probably need to be hit with a clue-bat, which will hopefully di

  • Does this mean that if your hardware vendor has a deity level above root then that is a bad thing?

  • by helixcode123 ( 514493 ) on Monday April 18, 2016 @09:45PM (#51937223) Homepage Journal
    sudo port install nethack
    • Re: (Score:2, Funny)

      by Anonymous Coward

      You made my day. Here, have a dog.

      d

  • Not Apple's Fault (Score:5, Informative)

    by Anonymous Coward on Monday April 18, 2016 @10:30PM (#51937449)

    It's not Apple's fault here. The git community developers completely and utterly botched this vulnerability. They announced it to the world, claiming it was fixed in 2.7.1 only to retract that a few days later after releasing 2.7.3 and then finally fixing it in 2.7.4. Apple released Xcode 7.3 just a couple days after git-2.7.4 was released, so it's no surprise that it doesn't contain the fix.

    Had the git community actually disclosed companies ahead of the announcement (and better yet, had released a fix before the announcement, or even have been *accurate* in the announcent), the vulnerability likely would have been fixed in Xcode 7.3. As it is, developers need to wait for Apple to spin an updated version of Xcode for this fix.

    The blame lies 100% on the git community for this debacle.

    See https://marc.ttias.be/oss-security/2016-03/msg00195.php for more details about how they completely failed here.

    • by Shawn Willden ( 2914343 ) on Tuesday April 19, 2016 @07:43AM (#51939067)

      The blame lies 100% on the git community for this debacle.

      That was true for a few days after the release of 2.7.4, maybe even a few weeks, if we're generous. But the blame gradually shifts to Apple as time goes on and they leave the vulnerability unpatched. By now, it's 100% on Apple. It's not as though Apple doesn't have a mechanism for delivering patches, either.

      • The blame lies 100% on the git community for this debacle.

        That was true for a few days after the release of 2.7.4, maybe even a few weeks, if we're generous. But the blame gradually shifts to Apple as time goes on and they leave the vulnerability unpatched. By now, it's 100% on Apple. It's not as though Apple doesn't have a mechanism for delivering patches, either.

        To be fair to Apple, I typically download the X-Code updates on four or five different Macs here, about 1GB for each one. Multiply that out to all the Macs that are going to download X-Code. It's difficult to imagine the amount of bandwidth that they're burning with each update, it would suck to have to immediately do the same thing again.

  • by Anonymous Coward on Monday April 18, 2016 @10:36PM (#51937471)

    Why is everyone so focused on replacing /usr/bin/git on their Mac? It's not git. It's just a stub that uses libxcselect to find git within Xcode:

    $ otool -L /usr/bin/git /usr/bin/git: /usr/lib/libxcselect.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)

    If you really want to replace it, replace the one inside of Xcode:

    $ xcrun -f git /Applications/Xcode.app/Contents/Developer/usr/bin/git

    Or just wait for Apple to release an update with the fix, and go yell at the git developers for completely screwing up the disclosure of this vulnerability, thereby not giving companies time to prepare a release with the fix.

  • by Anonymous Coward

    git 2.6.4 was released about a month before Xcode 7.3 beta was first seeded to developers. How does "one month old" equate to "very old"?

    Do you want Apple to update versions of key components after starting the beta process just because the version number changes? git 2.7.0 came out just days before Xcode 7.3 beta1. It makes sense that they'd stick with 2.6.4 as it was a very stable version and there was no compelling reason to update until just a couple days before Xcode 7.3 was released.

  • $ git --version
    git version 2.6.3
    $ brew update
    $ brew upgrade git
    $ git --version
    git version 2.8.1

    Back to my

    • beer. Back to my beer.

      Why do /. comments strip emoticons, especially important ones like beer?

      *sigh*

      • by Lennie ( 16154 )

        Because Slashdot uses MySQL and their collation doesn't allow it ?

      • by jeremyp ( 130771 )

        Because it is shit.

        • by jeremyp ( 130771 )

          Clarification: "it" refers to the Slashdot software, not beer, your post or Slashdot the organisation.

          Clarification on the clarification: The fact that the clarification states that "it" refers to the software only is not meant to imply that the other things listed are definitely not shit.

    • does not work
  • Apple builds themselves a walled garden, then utterly failed to prevent a fire from breaking out on the inside. This my friends is sweet poetic justice. A modern OS cannot exist in isolation like these hipster wannabes like to think it can. Apple is not omnipotent and it does not know what is best for you. Every informed Mac user I have ever met bought their system for the same reason, they don't want to take responsibility for their own security. Well guess what, that isn't possible and it never actually w

  • FWIW, the developer seed of Xcode 7.3.1 contains git 1.7.4.

Pound for pound, the amoeba is the most vicious animal on earth.

Working...