Another libgit2 Security Update

January 20, 2015

On the heels of CVE 2014-9390, we are announcing another round of security updates to libgit2. Similar to the prior vulnerability, an attacker can construct a git commit that, when checked out, may cause files to be written to your .git directory which may lead to arbitrary code execution.

When attempting to write into a directory, we will follow symbolic links in the working directory, instead of removing the link and re-creating a directory in its place. On a case insensitive filesystem, this allows an attacker to produce a commit that creates a symbolic link to the .git directory, then creates a file in a folder with a name that differs only in case. The previously written symbolic link would then be followed, and the file would be written in the .git directory.

This vulnerability primarily affects Mac OS, as its filesystem, HFS+, is case insensitive by default and supports symbolic links. Git core is not affected by this vulnerability, nor are clients built on top of the git command-line interface.

Updated versions of libgit2 are being made available immediately, as are versions of LibGit2Sharp and Objective Git. We recommend that libgit2 users upgrade.

In addition, GitHub for Mac was updated yesterday to include a fix for this issue.

A big thanks goes out to Jeff Hostetler, who found this vulnerability while researching additional areas where we could write into .git. Jeff is a new member of the Microsoft Visual Studio team who comes to us with an enviable resume building version control systems and developer tools in general.

Thanks also to GitHub and Microsoft for their continued support of libgit2. I am particularly pleased that Microsoft is willing to invest in finding and fixing bugs that only affect other platforms like Mac OS.