Outdated Git Version in OS X Puts Developers at Risk
Update: May 4, 2016 – Apple has released an updated version of Xcode to patch this vulnerability. Users can download Xcode 7.3.1 directly from Apple’s developer site at: https://developer.apple.com/xcode/download/
An outdated Git client in Apple’s Command Line Tools Package is putting OS X developers at risk by opening them up to remote code execution. According to a report from MacWorld, developers will typically use Xcode when developing apps for OS X or iOS, which means they are working on Macs that use Apple’s Command Line Tools package. The issue is that the current Command Line Tools package includes a vulnerable version of Git that hasn’t been updated since December.
Git is defined on its official website as “a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency.” The description goes on to say that Git is “easy to learn” and has a “tiny footprint with lightning fast performance”—both attributes that would appeal to Apple for obvious reasons.
Unfortunately, by trying to create a more user-friendly app development process for Macs, Apple might have inadvertently put developers at risk. The version of Git that is currently a part of Apple’s Command Line Tools package—version 2.6.4—has two known vulnerabilities that have been public knowledge for a month. According to MacWorld, the most pressing issue is that Git “could lead to remote code execution when cloning a repository with a large filename or a large number of nested trees.”
It’s odd that Apple hasn’t updated the Command Line Tools package yet, since Git released an update that patched both vulnerabilities more than a month ago, on March 17. Theoretically, developers using OS X could just go and update Git themselves before going ahead with their work. However, on OS X El Capitan, Git is apparently categorized as a “system-level program,” which means that you can’t update or change the program on your own. Instead, you have to wait for Apple to do it for you.
MacWorld did briefly describe a workaround that developers can use to remove Git’s execution privileges. From the description of the solution, though, it sounded more like a temporary fix than anything else, largely because the vulnerable version of Git would still be on your system. In other words, all developers who use Macs to build or update their OS X apps are waiting on Apple to release a new Command Line Tools package before they can get back to business as usual.