back to article Git thee behind me, Git crit security bug!

GitHub has acknowledged there's a flaw in its client software and recommended that users upgrade as soon as possible. News of the flaw was announced at GMANE and GitHub has confirmed the existence of the flaw and issued a recommendation for “all users of GitHub and GitHub Enterprise to update their Git clients as soon as …

  1. Alex Brett

    Why the focus on GitHub?

    This article is quite poorly worded - if you only use GitHub you're safe as they've put protection in at the server side (though obviously upgrading anyway would still be recommended), the issue is if you use git (which while it is the client software you use with GitHub, it is not 'their' client software - GitHub came around about 2-3 years later as a collection of repositories with a nice web UI etc) on other untrusted repositories on case insensitive systems where your .git directory can get overwritten...

    1. Hans 1 Silver badge

      Re: Why the focus on GitHub?

      > “Linux clients are not affected if they run in a case-sensitive filesystem,”

      Yes, I sent a request for correction, along with an extract of the GNAME announcement.

      This basically means that 99.99% of Linux git clients are not affected. It also means that 1% of Mac OS X clients are not affected - real men use a case-sensitive OS/FS - HFS+ can be and SHOULD BE set to case-sensitive, not only is it better, imho, you also expose code from window cleaners turned OS X devs, and that is priceless. If it does not work on a case-sensitive FS, you should not use it.

  2. David Taylor 1

    "GitHub has acknowledged there's a flaw in its client software and recommended that users upgrade, as soon as possible."

    Um, no. It is not a flaw in "its" client software, it's a flaw in *the* Git client. GitHub just happens to be a popular set of 'untrusted' git repositories that makes a perfect pool of victims for those looking to exploit the flaw in the client.

  3. schafdog

    Only case-insensitive filesystems

    I think the reporting is focusing wrongly on which OS. They should be focusing that it's about the filesystem. Yes, Linux mostly uses file-sensitive. But so do I on OS X.

  4. Adam Connelly

    Have to agree

    This article is pretty confusing. I'm assuming that what this is talking about is that there's a flaw in git clients in general, rather than anything specific to GitHub. The reason that it's confusing is that GitHub provide their own git client, but it isn't the only client that you can use to access repositories hosted on GitHub.

    Any chance the article could be updated to be really explicit about exactly what's affected here? Is it a problem with any git client, or is it a problem with the client created by GitHub?

    1. Alex Brett

      Re: Have to agree

      GitHub releases some software, but as far as I am aware that bundles the official git client in, and is basically just wrapping it.

      There's a pretty good summary on the github blog at https://github.com/blog/1938-git-client-vulnerability-announced - but to answer your question yes it is a flaw in the official git client, that applies when run on a system with a case insensitive filesystem (e.g. NTFS)...

    2. Mark 65

      Re: Have to agree

      Well, I know that I have just updated my NAS to have the latest available ipkg package (source googlecode git-core git-1.8.4.2) which seems ancient and I have no idea whether it is protected from this but I suspect not.

      It seems the version I have for my Mac is also out of date even updating to the latest binary. Irritatingly it looks like I may have to undertake the joy of source + compile.

  5. Benchops

    Talk about cr*p journalism

    The article says (and uses quotation marks):

    ' “Linux clients are not affected if they run in a case-insensitive filesystem,” the service's warning reads'

    whereas the warning actually reads

    'Linux clients are not affected if they run in a case-sensitive filesystem.'

    I'd correct that pronto.

    1. gazthejourno (Written by Reg staff)

      Re: Talk about cr*p journalism

      Actually that was me misreading someone's rant about this one sent to the corrections email address. I thought we'd misquoted the Git folks when that wasn't the case. Originally it was right, then it wasn't (which you spotted), now I've put it back to how it was.

      1. Benchops

        Re: Talk about cr*p journalism

        Copy and paste from the source -- it's the only way!

        1. Alistair Silver badge
          Windows

          Re: Talk about cr*p journalism

          "Copy and paste from the source -- it's the only way!"

          It was a case-insensitve editing tool.....

  6. JDX Gold badge

    So is it Git or GitHub?

    >>GitHub has acknowledged there's a flaw in its client software

    >>GitHub ... issued a recommendation ... update their Git clients as soon as possible.”

    GitHub DO have their own GitHub client specifically for people using GitHub - but this is entirely different to a regular git client.

    1. david 12

      Re: So is it Git or GitHub?

      Or is it the font-sensitive file systems? A casual reading of the announcement indicates that ...

      A client on a font-sensitive file system could overwrite ".git/config, causing problems for clients on font-insensitive file systems.

  7. John Gamble
    Boffin

    Also Git Bash

    This should not be confused with the git bash download for Windows, which is a git client from the git community (as opposed to github). They also have a GUI, although I can't compare the two as I use the bash shell almost exclusively.

    Hmm, looks like git bash for Windows has also had a very recent update -- and looking at the release notes, it's for much the same reason.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020