Apple Updates Xcode’s Git Implementation to Fix Two Critical Vulnerabilities
Apple has released a security update for its Xcode integrated development environment, patching two critical flaws that led to remote code execution.
Apple patches critical Xcode flaws
Xcode is a development environment containing a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software.
Addressing serious vulnerabilities in Xcode's git version control system implementation, the fixes target the CVE‑2016‑2315 and CVE‑2016‑2324 vulnerabilities. Affecting version 2.7.3 and earlier of Git, the vulnerabilities are server and client-side remote code execution flaws. These flaws can can be exploited by pushing or cloning a repository with large filenames or a large number of nested trees. While these vulnerabilities were patched in March with the release of Git 2.7.4, when users tried to install Xcode on OS X El Capitan, they received Git 2.6.4, a version released back in December.
CVE‑2016‑2315 is a heap-based buffer overflow vulnerability "which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow." CVE‑2016‑2324 is "server and client side remote code execution through a buffer overflow in all git versions before 2.7.1."
Security researcher Mattias Geniar wrote about these Git flaws in March, warning that these flaws could be exploited for remote execution. Writing of potential server and client side exploits, he said,
In order to push to a remote git repository, you need write access which for most git servers would require some kind of authentication / authorization first. However, for services like Bitbucket or Github where you can create or clone a repository without approval from an admin, the consequences could be bigger as anyone can attempt to trigger the vulnerability.
To clone a repository you just needs a local user account on a Linux or Windows machine with access to the gitbinary. This leaves the door wide open for, well, pretty much everyone. If you allow users to execute arbitrary code on your servers, you could have a problem (think of PHP's exec(), system(), ... calls).
Any system with local users that allows the execution of git client commands should be carefully watched.
Apple has now addressed both these issues and has updated Git to version 2.7.4 in Xcode 7.3.1. Users on OS X El Capitan 10.11 and later can download Xcode from here.