Outdated Git version in OS X puts developers at risk

April 19, 2016 - All, Security

The OS X command line developer tools include an old version of the Git source-code management system that exposes Mac users to remote code-execution attacks. “If you rely on machines like this, I am truly sorry,” said systems administration expert Rachel Kroll. “I feel for you.”

The Git client allows developers to interact with source code repositories. It is not installed by default on Mac OS X, but it is included in the Command Line Tools package for Xcode, Apple’s integrated development environment (IDE).

Software developers who create applications for OS X or iOS are likely to use Xcode and to have Apple’s Command Line Tools package installed on their Macs. The latest version of this package includes Git version 2.6.4, released in December.

The problem is that Git 2.6.4 has two serious vulnerabilities that were publicly disclosed last month. The flaws, tracked as CVE-2016-2315 and CVE-2016-2324, affect both client and server deployments on Git. On the client side, they could lead to remote code execution when cloning a repository with a large filename or a large number of nested trees.