
Go upgrade Xcode. Fix your Git security hole - hepha1979
http://rachelbythebay.com/w/2016/05/05/xcode/
======
dchest
Apple's developer responsible for maintaining Git wrote that the fixed version
didn't make it into Xcode 7.3, because the vulnerability was announced later
than they released it [1][2]. It took some time to release 7.3.1, indeed, and
maybe even Rachel's original post made them release it faster. It's sad that
they can't do it more quickly, but let's hope they'll improve release process.

[1]
[https://twitter.com/jeremyhu/status/722272350272512000](https://twitter.com/jeremyhu/status/722272350272512000)

[2]
[https://twitter.com/jeremyhu/status/722482144082157568](https://twitter.com/jeremyhu/status/722482144082157568)

~~~
chris_wot
Their release process, IMHO, leaves a lot to be desired. I honestly feel Apple
takes far too long to release fixes, especially when it comes to security
matters.

I also feel that their decision making process in general is opaque and often
arbitrary. Their lack of openness and transparency leave a lot to desired.
Ironically, I love their products and I'm often astounded by their high level
of customer service - it's the only company I know where they have setup a
system where you submit a support request and _they_ call _you_ , and frankly
their Apple Stores are a genuine pleasure to walk into and their staff have
always been attentive and helpful when I go in there.

I really have a love-hate relationship with Apple, but on balance far more
love than hate. There's a reason they inspire a passionate reaction in people,
I just wish that many of those who are so passionate (the much maligned "Apple
fan boi") would accept that you can be both critical AND supportive of a
company.

------
evolve2k
Is it enough to update Xcode command line tools or do I need to install full
Xcode?

(I don't usually use Xcode)

~~~
teh64
Updating Command Line Tools is enough:

    
    
        $ xcode-select --print-path
        /Library/Developer/CommandLineTools
    
        $ git --version
        git version 2.7.4 (Apple Git-66)

~~~
emmelaich

        softwareupdate  --install 'Command Line Tools (OS X 10.11) for Xcode-7.3'

~~~
teh64
Didn't know that software update was even possible from the Terminal. That's
pretty cool.

------
chris_wot
And this wouldn't be a problem if they didn't make a wide variety of system
directories immutable to anyone (including root) but the installation user.

Apparently this is a very unpopular opinion, so even though I really like
Apple and use them on a daily basis, I await the brickbats for daring to offer
even the smallest criticism of decisions they made about El Capitan.

Please, feel free to reboot your server to disable this security feature so
that you can install security updates for software Apple take a rather long
time to supply themselves.

~~~
vertex-four
OS X isn't a server OS and hasn't been for a while.

~~~
chris_wot
Funny how I just installed OS X Server just today...

~~~
vertex-four
You can also install Apache, a mail server, etc etc on Windows 10. Doesn't
make Windows 10 a server OS.

~~~
chris_wot
And Windows can operate as a server running all sorts of things like Active
Directory, Exchange, etc. - that's because Microsoft bundles the software with
it to allow it to do this, but the underlying operating system remains the
same.

How is that any different to OS X? And how are you defining what is and isn't
a "server operating system"? Perhaps I'm taking you too literally, but I guess
I consider an operating system that allows or is designed to act as a server
to be such a thing.

Of course, it might not be the best way of running a server, but it's still an
operating system running software listening on a port that serves the requests
from clients.

I seem to remember when people said Linux wasn't a "server OS", yet it very
much was...

~~~
vertex-four
> And Windows can operate as a server running all sorts of things like Active
> Directory, Exchange, etc. - that's because Microsoft bundles the software
> with it to allow it to do this, but the underlying operating system remains
> the same.

Actually, it seriously isn't - Windows Server has a hugely changed set of
features compared to Windows on the desktop, from the kernel upwards. The
software in question is tied heavily into every piece of the OS - there is
almost no major component in Windows 10 that is exactly the same in its
equivalent server build. This is very different from both OS X and Linux.

OS X is very much _not_ designed to act as a permanently always-on server in a
business-critical capacity - what I'd expect from a server OS. The fact that
Apple sell a product called "server" doesn't change that, any more than that
XAMPP exists for Windows 10.

To put it in a question - would you run your SaaS off of OS X?

~~~
chris_wot
No, I wouldn't. I think I made that clear already? I'm just saying that I
don't understand your definition of a "server OS".

Incidentally, my point about Windows Server is the same you have made - except
that the kernel architecture is the same. It still runs pretty much this:

[https://en.wikipedia.org/wiki/Architecture_of_Windows_NT#/me...](https://en.wikipedia.org/wiki/Architecture_of_Windows_NT#/media/File:Windows_2000_architecture.svg)

------
rebelde
Xcode 7.3.1 doesn't seem to be enough.

I installed Xcode 7.3.1, but git hasn't been updated to 2.7.4.

$ git --version

git version 2.5.0

Do I need to do something more?

~~~
bcruddy
Git seems to be included with the xcode command line tools, make sure that's
up to date.

~~~
Stratoscope
If you have Xcode, you don't need the command line tools and are better off
removing them. The Xcode.app bundle itself contains all the command line
tools, so having both is redundant. The command line tools are just provided
for people who don't want to install the full Xcode.

------
teamhappy
The git versions Apple ships are reasonable up to date. Too bad they don't
include the contrib directory.

~~~
masklinn
> The git versions Apple ships are reasonable up to date.

More than usual, but still not exactly up to date, as of April 17 Xcode
shipped with Git 2.6.4, which was 2 minors and ~4 months out of date (2.6.5 in
January and 2.6.6 in March) on its maintenance branch, and a major out of date
(2.7.0 had been released in January)

------
Sir_Substance
Any chance that blog is based off a static site generator I can use? it looks
like pretty much my ideal blog format.

------
skimmas
Probably not really related but to me that update is stuck at 0KB. I wonder if
it has anything to do me having changed country in the middle of the process.

------
OJFord
Meanwhile, Homebrew's Git is at 2.8.2 (latest).

~~~
bcruddy
usr/bin/git is still vulnerable and is much more difficult than it appears to
be to remove, homebrews git binary is stored in usr/local/bin/git

~~~
comex
The claim you're making has been widely spread but is mistaken. /usr/bin/git
is just a wrapper that execs the real git from /Applications/Xcode.app or
/Library/Developer/CommandLineTools (depending on what you have installed),
and some things will invoke the latter directly anyway; thus removing the
wrapper is neither necessary nor sufficient to prevent exposure to the
vulnerability.

~~~
chris_wot
Or you set the DEVELOPMENT_DIR environment variable... what could _possibly_
go wrong?

------
cauthon
`brew upgrade git`

No need to wait for Apple.

~~~
pdpi
That still leaves the system git vulnerable, which might be exploitable if you
can trick the user into choosing the wrong git binary

~~~
matt_wulfeck
chmod -x /usr/bin/git

~~~
chris_wot
You can't. That's the point!

~~~
danieldk

        sudo chmod a-x $(xcrun -f git)
    

_All problems in computer science can be solved by another level of
indirection_

~~~
chris_wot
Er... I gain root access and just do:

    
    
      sudo chmod a+x $(xcrun -f git)

------
kazinator
> _My reading suggests that if you were to point a vulnerable version at a
> repository which is controlled by an attacker, then they could run code as
> you on your machine._

This threat exists regardless, because git repos usually contain code, which
you pull, compile and execute. As you, on your machine.

~~~
mordocai
Yes, but normally you get to inspect that code before compiling and executing
if you wish to.

~~~
kazinator
But you don't get to do that with the updated git from Apple any more than the
original.

~~~
rajivm
I clone repositories all the time to inspect/learn/debug dependencies without
ever building them.

