Git Vulnerablity

git comes with Xcode and/or the Xcode command line tools, so there's that one.

Homebrew (http://brew.sh) can also install git, which may or may not be a different version number than the one installed by the Xcode tools (homebrew usually updates faster).

As far as GUI git clients, the ones I know of are these:

GitHub for Mac - https://mac.github.com
SourceTree - http://www.sourcetreeapp.com
Tower - http://www.git-tower.com

Our folks all use the GitHub Mac client.

FYI, Apple has patched the Git vulnerability in Xcode 6.2 beta 3:

http://support.apple.com/en-us/HT204147

I just disabled the preinstalled Apple git with the below script

1sudo mv /usr/bin/git /usr/bin/git-apple-insecure

Then I've been getting people on Brew so they can stay current faster. Also did an Extension Attribute for git version to track who is using the old through Brew.

We were on the Apple version but have switched to using the Brew version of git.

In case it's useful, here's an extension attribute that will report the version(s) of Git installed.
https://gist.github.com/homebysix/501a3bc5144b77aecc0c

This can be paired with smart groups to determine which computers are vulnerable;

• Git version LIKE "git version 1.8" AND Git version NOT LIKE "git version 1.8.5.6"
• Git version LIKE "git version 1.9" AND Git version NOT LIKE "git version 1.9.5"
• Git version LIKE "git version 2.0" AND Git version NOT LIKE "git version 2.0.5"
• Git version LIKE "git version 2.1" AND Git version NOT LIKE "git version 2.1.4"
• Git version LIKE "git version 2.2" AND Git version NOT LIKE "git version 2.2.1"

These smart groups aren't evergreen; they'll need to be updated as new (non-vulnerable) git versions appear. But that should be a good start for immediate reporting.

The only issue with running a --version, at least with Apple Git at /usr/bin/git is that if Xcode developer tools are not installed the user receives a prompt to go and get them. So in light of this we need to add additional checks, at least for the apple version of git before do the --version.

@clarkml:

You can exclude Xcode's Git install from the EA by piping the path listing through sed:

1CURRENT_PATH=$(/usr/bin/su "$CURRENT_USER" -c "/usr/bin/env | /usr/bin/grep PATH= | /usr/bin/colrm 1 5 | sed 's//usr/bin://g'")

We will use this method to find any Git installations outside of Xcode. Thanks, @elliotjordan!

--Andy

That's a great workaround, @andyinindy. I'll incorporate that into my script. Thanks!

@jesseshipley do you mind sharing how you were able to get the version to show up for the attribute extension. I created the attribute extension and it shows up as a field now in out inventory display but the field is always blank. Any help would be great thanks

@ogonzalez I don't have access to the same jamf instance anymore so I don't know exactly what I wrote. But it was probably just

1echo "<result>$(/usr/bin/git --version | awk '{print $3}')</result>"

bump

I got @elliotjordan's EA working by replacing /usr/bin/printf "<result>$RESULT</result> " with @jesseshipley's suggestion. Just having a mental block... Need to accomplish 2 things, smart group with devices with any version of git installed and the smart group(s)? for those not on the latest version. Wondering what the smart groups should look like for the more recent Git versions, something like this?

1Git version LIKE "git version 2.21" AND Git version NOT LIKE "git version 2.21.1"
2Git version LIKE "git version 2.22" AND Git version NOT LIKE "git version 2.22.2"
3Git version LIKE "git version 2.23" AND Git version NOT LIKE "git version 2.23.1"
4Git version LIKE "git version 2.24" AND Git version NOT LIKE "git version 2.24.1"
5Git version LIKE "git version 2.25" AND Git version NOT LIKE "git version 2.25.0"

Again sorry, having a Friday mental block and would appreciate insight from others. Anyone automate this to not have update the smart group with new versions?

Was overthinking a bit...for a smart group of devices with Git installed I just did Git version IS NOT and left the value blank. Then looked into this <https://www.jamf.com/jamf-nation/feature-requests/8442/add-recon-as-an-option-in-jss> for running recon on all devices to get immediate reporting on the EA. Now just looking into the smart groups to identify old versions. This was a useful representation of the versions:

We are also looking into an extension attribute now as there's a new vulnerability. However, using the Extension Attribute above it seems to pick up the Git-version installed by Apple (as the latest version collected is 2.24.3. Does anyone have an extension attribute to show the version of Git installed that comes through brew? Then we will look into disabling the built-in Apple version.

We're doing the same @jonlju

I think we're just going to force everyone with a custom version of git onto 2.30.2 and add the symlink work around to all machines with the basic apple git. I've hacked the EA above to suit my needs to make a brew only EA. Compare the version to a hardcoded one and give an output of 'Safe' 'Unsafe' or 'Not Installed'

Safe = Do nothing
Unsafe = run git upgrade script
Not Installed = run symlinks workaround

1#!/bin/sh
2
3###
4# Checks to see if git has been installed via homebrew and returns 'Not Installed' if not. If so, it will return 'Safe' or 'Unsafe' with the version number comparing against a hardcoded approved version which you set in this EA
5###
6
7CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
8CURRENT_PATH=$(/usr/bin/su "$CURRENT_USER" -c "/usr/bin/env | /usr/bin/grep PATH= | /usr/bin/colrm 1 5 | sed 's//usr/bin://g' | sed 's//Library/Apple/usr/bin//g'" )
9RESULT=""
10APPROVEDVERSION=2.30.2
11
12old=$IFS
13IFS=:
14
15for p in $CURRENT_PATH; do
16    GIT_VERSION="$($p/git --version 2> /dev/null)"
17    if [[ $? == 0 ]]; then
18        RESULT+="$p $GIT_VERSION"
19        VERSION=$(echo "$RESULT" | awk '{ print $4}')
20        #VERSION=2.40.1
21    fi
22done
23
24IFS=$old
25
26INSTVERSION=$(echo "$VERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')
27APPVERSION=$(echo "$APPROVEDVERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')
28
29if [[ $VERSION = "" ]]; then
30    echo "<result>Not Installed</result>" 
31else
32    if [[ $INSTVERSION -ge $APPVERSION ]]; then
33            echo "<result>Safe - $VERSION</result>"
34    else
35            echo "<result>Unsafe - $VERSION</result>"
36    fi
37fi
38
39exit 0

@davidjess I was thrown into this mess of patching the latest vulnerability with v.2.30.0.2. Can you share use for the "git upgrade script"

@davidjess Thanks for sharing! I've updated our EA now with yours as well to check this. We're almost at the end of the week now so I doubt a lot will be done but I'll get back on this on monday to see how we're standing and what actions to take from there.

The symlink workaround you're talking about, is it running this (or similar) targeting the Apple version of Git?

"git config --global core.symlinks false"

@jonlju Yeah, that's what I was thinking, but now I think about it, you may run the risk of users getting a 'please install development' tools message if you ran it on machines without Xcode CLT installed. So might be worth testing.

@ooshnoo here you go, another hacked up one with some lines on the end.

1#!/bin/bash
2
3# Script to install Homebrew on a Mac.
4# Author: richard at richard - purves dot com
5# Version: 1.0 - 21st May 2017
6
7# Heavily hacked by Tony Williams (honestpuck@gmail.com)
8# Latest version at https://github.com/Honestpuck/homebrew.sh
9# v2.0 - 19th Sept 2019
10# v2.0.1 Fixed global cache error
11# v2.0.2 Fixed brew location error
12# v2.0.3 Added more directories to handle
13
14# v3.0 Catalina version 2020-02-17
15# v3.1 | 2020-03-24 | Fix permissions for /private/tmp
16
17# Set up variables and functions here
18consoleuser="$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
19");')"
20
21# are we in the right group
22check_grp=$(groups ${consoleuser} | grep -c '_developer')
23if [[ $check_grp != 1 ]]; then
24    /usr/sbin/dseditgroup -o edit -a "${consoleuser}" -t user _developer
25fi
26
27# Logging stuff starts here
28LOGFOLDER="/private/var/log/"
29LOG="${LOGFOLDER}Homebrew.log"
30
31if [ ! -d "$LOGFOLDER" ]; then
32    mkdir $LOGFOLDER
33fi
34
35function logme()
36{
37# Check to see if function has been called correctly
38    if [ -z "$1" ] ; then
39        echo "$(date) - logme function call error: no text passed to function! Please recheck code!"
40        echo "$(date) - logme function call error: no text passed to function! Please recheck code!" >> $LOG
41        exit 1
42    fi
43
44# Log the passed details
45    echo -e "$(date) - $1" >> $LOG
46    echo -e "$(date) - $1"
47}
48
49# Check and start logging
50logme "Homebrew Installation"
51
52# Have the xcode command line tools been installed?
53logme "Checking for Xcode Command Line Tools installation"
54check=$( pkgutil --pkgs | grep -c "CLTools_Executables" )
55
56if [[ "$check" != 1 ]]; then
57    logme "Installing Xcode Command Tools"
58    # This temporary file prompts the 'softwareupdate' utility to list the Command Line Tools
59    touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
60    clt=$(softwareupdate -l | grep -B 1 -E "Command Line (Developer|Tools)" | awk -F"*" '/^ +\\*/ {print $2}' | sed 's/^ *//' | tail -n1)
61    # the above don't work in Catalina so ...
62    if [[ -z $clt ]]; then
63        clt=$(softwareupdate -l | grep  "Label: Command" | tail -1 | sed 's#* Label: (.*)#1#')
64    fi
65    softwareupdate -i "$clt"
66    rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
67    /usr/bin/xcode-select --switch /Library/Developer/CommandLineTools
68fi
69
70# Is homebrew already installed?
71if [[ ! -e /usr/local/bin/brew ]]; then
72    # Install Homebrew. This doesn't like being run as root so we must do this manually.
73    logme "Installing Homebrew"
74
75    mkdir -p /usr/local/Homebrew
76    # Curl down the latest tarball and install to /usr/local
77    curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C /usr/local/Homebrew
78
79    # Manually make all the appropriate directories and set permissions
80    mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/bin /usr/local/etc
81    mkdir -p /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin
82    mkdir -p /usr/local/share/zsh/site-functions /usr/local/var
83    mkdir -p /usr/local/share/doc /usr/local/man/man1 /usr/local/share/man/man1
84    chown -R "${consoleuser}":_developer /usr/local/*
85    chmod -R g+rwx /usr/local/*
86    chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
87
88    # Create a system wide cache folder  
89    mkdir -p /Library/Caches/Homebrew
90    chmod g+rwx /Library/Caches/Homebrew
91    chown "${consoleuser}:_developer" /Library/Caches/Homebrew
92
93    # put brew where we can find it
94    ln -s /usr/local/Homebrew/bin/brew /usr/local/bin/brew
95
96    # Install the MD5 checker or the recipes will fail
97    su -l "$consoleuser" -c "/usr/local/bin/brew install md5sha1sum"
98    echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' | 
99    tee -a /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
100    chown ${consoleuser} /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
101
102    # clean some directory stuff for Catalina
103    chown -R root:wheel /private/tmp
104    chmod 777 /private/tmp
105    chmod +t /private/tmp
106fi
107
108# Make sure everything is up to date
109logme "Updating Homebrew"
110su -l "$consoleuser" -c "/usr/local/bin/brew update" 2>&1 | tee -a ${LOG}
111
112# updating git
113logme "Updating Git"
114su -l "$consoleuser" -c "/usr/local/bin/brew upgrade git"
115
116#forcing git version
117logme "Forcing git version"
118su -l "$consoleuser" -c "/usr/local/bin/brew link --force git"
119
120# logme user that all is completed
121logme "Installation complete"
122
123exit 0

@davidjess thanks for the script. Unfortunately it looks like it's not working and leaves the install of Git untouched, as the EA we used, which is listed above, still shows the version as being "Unsafe - 2.25.0"

EDIT... never mind. Fixed it!!! On line 113 I changed "brew install git" to "brew upgrade git"

Sorry, meant to come back along and post that change!

Noticed a small amount of machines not being able to update and complaining of a shallow cask - added a couple of lines to fix.

1#!/bin/zsh
2
3#################################################################################################   
4#
5# Created by: David Jess
6# Date: 15 Mar 2021
7#
8
9# Requirements:
10# macOS 10.14.0 or later
11#
12# Description: This script asks brew to patch Git to the latest version
13#
14#  
15#################################################################################################
16
17#################################################################################################
18
19## VARIABLES
20
21consoleuser="$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
22");')"
23
24## FUNCTIONS
25
26### Check group permissions ###
27
28function CheckGroup ()
29{
30# are we in the right group
31check_grp=$(groups ${consoleuser} | grep -c '_developer')
32if [[ $check_grp != 1 ]]; then
33    /usr/sbin/dseditgroup -o edit -a "${consoleuser}" -t user _developer
34    echo "Group changed"
35else
36    echo "Group ok"
37fi
38}
39
40### Check if homebrew is installed
41
42function CheckBrew ()
43{
44
45# Is homebrew already installed?
46if [[ ! -e /usr/local/bin/brew ]]; then
47    # Install Homebrew. This doesn't like being run as root so we must do this manually.
48    echo "Brew not installed"
49    echo "Installing Homebrew"
50
51    mkdir -p /usr/local/Homebrew
52    # Curl down the latest tarball and install to /usr/local
53    curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C /usr/local/Homebrew
54
55    # Manually make all the appropriate directories and set permissions
56    mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/bin /usr/local/etc
57    mkdir -p /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin
58    mkdir -p /usr/local/share/zsh/site-functions /usr/local/var
59    mkdir -p /usr/local/share/doc /usr/local/man/man1 /usr/local/share/man/man1
60    chown -R "${consoleuser}":_developer /usr/local/*
61    chmod -R g+rwx /usr/local/*
62    chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
63
64    # Create a system wide cache folder  
65    mkdir -p /Library/Caches/Homebrew
66    chmod g+rwx /Library/Caches/Homebrew
67    chown "${consoleuser}:_developer" /Library/Caches/Homebrew
68
69    # put brew where we can find it
70    ln -s /usr/local/Homebrew/bin/brew /usr/local/bin/brew
71
72    # Install the MD5 checker or the recipes will fail
73    su -l "$consoleuser" -c "/usr/local/bin/brew install md5sha1sum"
74    echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' | 
75    tee -a /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
76    chown ${consoleuser} /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
77
78    # clean some directory stuff for Catalina
79    chown -R root:wheel /private/tmp
80    chmod 777 /private/tmp
81    chmod +t /private/tmp
82else
83    echo "Homebrew already installed"
84fi
85
86}
87
88### Upgrade git and link
89
90function UpgradeGit ()
91{
92
93# mitigation for shallow cask
94
95su -l "$consoleuser" -c "/usr/local/bin/git -C "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-core" fetch --unshallow"
96su -l "$consoleuser" -c "/usr/local/bin/git -C "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-cask" fetch --unshallow"
97
98# updating git
99echo "Upgrading Git"
100su -l "$consoleuser" -c "/usr/local/bin/brew upgrade git"
101
102#forcing git version
103echo "Forcing git version"
104su -l "$consoleuser" -c "/usr/local/bin/brew link --force git"
105
106}
107
108################################################################################################
109
110## MAIN SCRIPT
111
112echo "Script Starting..."
113echo "Checking group...."
114CheckGroup
115echo "Check if brew is installed..."
116CheckBrew
117echo "Starting Git Upgrade of git..."
118UpgradeGit
119echo "Script completed"
120exit 0

@davidjess -- thanks for posting your scripts. I'm using your EA to find machines that are running homebrew and need updating and noticed it doesn't seem to be playing nice on Big Sur/M1 machines. Just says "Not Installed" when it definitely is. My knowledge of homebrew installation/pathing and scripting unfortunately is too basic to figure out the issue. Works great on other machines. Any ideas?

**Update: Homebrew installs in the /opt directory on Big Sur as opposed to /usr/local Catalina (and probably Mojave) machines. So there's that

Apparently if you install Git using the binary (available in Sourceforge) it can't be found with the extension attribute, so have to look into that as well as some developers are using that installation.

Hey all. New here and looking for a solution similar to what has been discussed above. There is a new Git vuln and I need to be able to report versioning in Jamf to get a handle. I tried creating an EA from above and nothing seems to be displaying. Any insight would be helpful, thanks!

https://github.blog/2022-10-18-git-security-vulnerabilities-announced/