A patch is available to mitigate a critical vulnerability affecting all versions of the official Git client and all related software that interacts with Git repositories.
“An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” said GitHub’s Vincent Marti in a blog post.
Only Windows and OS X Git clients suffer from the issue. Github.com and GitHub Enterprise do not have the problem.
Technically, this vulnerability only affects developers who pull from repositories where they don’t know and don’t trust the people allowed to update them. Still, they all should implement the update and be careful when cloning or accessing Git repositories hosted on unsafe or untrusted hosts.
There is currently no indication anyone is exploiting the bug.
“Repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability because we now verify and block these trees on push,” Marti said. “We have also completed an automated scan of all existing content on github.com to look for malicious content that might have been pushed to our site before this vulnerability was discovered. This work is an extension of the data-quality checks we have always performed on repositories pushed to our servers to protect our users against malformed or malicious Git data.”