Git Vulnerablity

sgoetz
Contributor

So our Security department has found a major bug with all Git Clients that access Git repositories. https://github.com/blog/1938-vulnerability-announced-update-your-git-clients

Im wondering if anyone knows what the most popular Git Clients are on Mac OS x.

Thanks!

24 REPLIES 24

rtrouton
Valued Contributor III

git comes with Xcode and/or the Xcode command line tools, so there's that one.

Homebrew (http://brew.sh) can also install git, which may or may not be a different version number than the one installed by the Xcode tools (homebrew usually updates faster).

As far as GUI git clients, the ones I know of are these:

GitHub for Mac - https://mac.github.com
SourceTree - http://www.sourcetreeapp.com
Tower - http://www.git-tower.com

emily
Valued Contributor III

Our folks all use the GitHub Mac client.

andyinindy
Contributor II

FYI, Apple has patched the Git vulnerability in Xcode 6.2 beta 3:

http://support.apple.com/en-us/HT204147

jesseshipley
Contributor

I just disabled the preinstalled Apple git with the below script

sudo mv /usr/bin/git /usr/bin/git-apple-insecure

Then I've been getting people on Brew so they can stay current faster. Also did an Extension Attribute for git version to track who is using the old through Brew.

davidacland
Honored Contributor II
Honored Contributor II

We were on the Apple version but have switched to using the Brew version of git.

elliotjordan
Contributor II

In case it's useful, here's an extension attribute that will report the version(s) of Git installed.
https://gist.github.com/homebysix/501a3bc5144b77aecc0c

This can be paired with smart groups to determine which computers are vulnerable;

  • Git version LIKE "git version 1.8" AND Git version NOT LIKE "git version 1.8.5.6"
  • Git version LIKE "git version 1.9" AND Git version NOT LIKE "git version 1.9.5"
  • Git version LIKE "git version 2.0" AND Git version NOT LIKE "git version 2.0.5"
  • Git version LIKE "git version 2.1" AND Git version NOT LIKE "git version 2.1.4"
  • Git version LIKE "git version 2.2" AND Git version NOT LIKE "git version 2.2.1"

These smart groups aren't evergreen; they'll need to be updated as new (non-vulnerable) git versions appear. But that should be a good start for immediate reporting.

MARL
New Contributor

The only issue with running a --version, at least with Apple Git at /usr/bin/git is that if Xcode developer tools are not installed the user receives a prompt to go and get them. So in light of this we need to add additional checks, at least for the apple version of git before do the --version.

andyinindy
Contributor II

@clarkml:

You can exclude Xcode's Git install from the EA by piping the path listing through sed:

CURRENT_PATH=$(/usr/bin/su "$CURRENT_USER" -c "/usr/bin/env | /usr/bin/grep PATH= | /usr/bin/colrm 1 5 | sed 's//usr/bin://g'")

We will use this method to find any Git installations outside of Xcode. Thanks, @elliotjordan!

--Andy

elliotjordan
Contributor II

That's a great workaround, @andyinindy. I'll incorporate that into my script. Thanks!

ogonzalez
New Contributor

@jesseshipley do you mind sharing how you were able to get the version to show up for the attribute extension. I created the attribute extension and it shows up as a field now in out inventory display but the field is always blank. Any help would be great thanks

jesseshipley
Contributor

@ogonzalez I don't have access to the same jamf instance anymore so I don't know exactly what I wrote. But it was probably just

echo "<result>$(/usr/bin/git --version | awk '{print $3}')</result>"

Garci4
New Contributor III

bump

Garci4
New Contributor III

I got @elliotjordan's EA working by replacing /usr/bin/printf "<result>$RESULT</result> " with @jesseshipley's suggestion. Just having a mental block... Need to accomplish 2 things, smart group with devices with any version of git installed and the smart group(s)? for those not on the latest version. Wondering what the smart groups should look like for the more recent Git versions, something like this?

Git version LIKE "git version 2.21" AND Git version NOT LIKE "git version 2.21.1"
Git version LIKE "git version 2.22" AND Git version NOT LIKE "git version 2.22.2"
Git version LIKE "git version 2.23" AND Git version NOT LIKE "git version 2.23.1"
Git version LIKE "git version 2.24" AND Git version NOT LIKE "git version 2.24.1"
Git version LIKE "git version 2.25" AND Git version NOT LIKE "git version 2.25.0"

Again sorry, having a Friday mental block and would appreciate insight from others. Anyone automate this to not have update the smart group with new versions?

Garci4
New Contributor III

Was overthinking a bit...for a smart group of devices with Git installed I just did Git version IS NOT and left the value blank. Then looked into this <https://www.jamf.com/jamf-nation/feature-requests/8442/add-recon-as-an-option-in-jss> for running recon on all devices to get immediate reporting on the EA. Now just looking into the smart groups to identify old versions. This was a useful representation of the versions: 4751405de84f45a8b132a0020d0a43cb

jonlju
Contributor

We are also looking into an extension attribute now as there's a new vulnerability. However, using the Extension Attribute above it seems to pick up the Git-version installed by Apple (as the latest version collected is 2.24.3. Does anyone have an extension attribute to show the version of Git installed that comes through brew? Then we will look into disabling the built-in Apple version.

davidjess
New Contributor III

We're doing the same @jonlju

I think we're just going to force everyone with a custom version of git onto 2.30.2 and add the symlink work around to all machines with the basic apple git. I've hacked the EA above to suit my needs to make a brew only EA. Compare the version to a hardcoded one and give an output of 'Safe' 'Unsafe' or 'Not Installed'

Safe = Do nothing
Unsafe = run git upgrade script
Not Installed = run symlinks workaround

#!/bin/sh

###
# Checks to see if git has been installed via homebrew and returns 'Not Installed' if not. If so, it will return 'Safe' or 'Unsafe' with the version number comparing against a hardcoded approved version which you set in this EA
###

CURRENT_USER=$(/usr/bin/stat -f%Su /dev/console)
CURRENT_PATH=$(/usr/bin/su "$CURRENT_USER" -c "/usr/bin/env | /usr/bin/grep PATH= | /usr/bin/colrm 1 5 | sed 's//usr/bin://g' | sed 's//Library/Apple/usr/bin//g'" )
RESULT=""
APPROVEDVERSION=2.30.2

old=$IFS
IFS=:

for p in $CURRENT_PATH; do
    GIT_VERSION="$($p/git --version 2> /dev/null)"
    if [[ $? == 0 ]]; then
        RESULT+="$p $GIT_VERSION"
        VERSION=$(echo "$RESULT" | awk '{ print $4}')
        #VERSION=2.40.1
    fi
done

IFS=$old

INSTVERSION=$(echo "$VERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')
APPVERSION=$(echo "$APPROVEDVERSION" | sed 's|[.]||g' | sed -E 's/(.{4}).*/1/')

if [[ $VERSION = "" ]]; then
    echo "<result>Not Installed</result>" 
else
    if [[ $INSTVERSION -ge $APPVERSION ]]; then
            echo "<result>Safe - $VERSION</result>"
    else
            echo "<result>Unsafe - $VERSION</result>"
    fi
fi

exit 0

ooshnoo
Valued Contributor

@davidjess I was thrown into this mess of patching the latest vulnerability with v.2.30.0.2. Can you share use for the "git upgrade script"

jonlju
Contributor

@davidjess Thanks for sharing! I've updated our EA now with yours as well to check this. We're almost at the end of the week now so I doubt a lot will be done but I'll get back on this on monday to see how we're standing and what actions to take from there.

The symlink workaround you're talking about, is it running this (or similar) targeting the Apple version of Git?

"git config --global core.symlinks false"

davidjess
New Contributor III

@jonlju Yeah, that's what I was thinking, but now I think about it, you may run the risk of users getting a 'please install development' tools message if you ran it on machines without Xcode CLT installed. So might be worth testing.

@ooshnoo here you go, another hacked up one with some lines on the end.

#!/bin/bash

# Script to install Homebrew on a Mac.
# Author: richard at richard - purves dot com
# Version: 1.0 - 21st May 2017

# Heavily hacked by Tony Williams (honestpuck@gmail.com)
# Latest version at https://github.com/Honestpuck/homebrew.sh
# v2.0 - 19th Sept 2019
# v2.0.1 Fixed global cache error
# v2.0.2 Fixed brew location error
# v2.0.3 Added more directories to handle

# v3.0 Catalina version 2020-02-17
# v3.1 | 2020-03-24 | Fix permissions for /private/tmp

# Set up variables and functions here
consoleuser="$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')"

# are we in the right group
check_grp=$(groups ${consoleuser} | grep -c '_developer')
if [[ $check_grp != 1 ]]; then
    /usr/sbin/dseditgroup -o edit -a "${consoleuser}" -t user _developer
fi

# Logging stuff starts here
LOGFOLDER="/private/var/log/"
LOG="${LOGFOLDER}Homebrew.log"

if [ ! -d "$LOGFOLDER" ]; then
    mkdir $LOGFOLDER
fi

function logme()
{
# Check to see if function has been called correctly
    if [ -z "$1" ] ; then
        echo "$(date) - logme function call error: no text passed to function! Please recheck code!"
        echo "$(date) - logme function call error: no text passed to function! Please recheck code!" >> $LOG
        exit 1
    fi

# Log the passed details
    echo -e "$(date) - $1" >> $LOG
    echo -e "$(date) - $1"
}

# Check and start logging
logme "Homebrew Installation"

# Have the xcode command line tools been installed?
logme "Checking for Xcode Command Line Tools installation"
check=$( pkgutil --pkgs | grep -c "CLTools_Executables" )

if [[ "$check" != 1 ]]; then
    logme "Installing Xcode Command Tools"
    # This temporary file prompts the 'softwareupdate' utility to list the Command Line Tools
    touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
    clt=$(softwareupdate -l | grep -B 1 -E "Command Line (Developer|Tools)" | awk -F"*" '/^ +\*/ {print $2}' | sed 's/^ *//' | tail -n1)
    # the above don't work in Catalina so ...
    if [[ -z $clt ]]; then
        clt=$(softwareupdate -l | grep  "Label: Command" | tail -1 | sed 's#* Label: (.*)#1#')
    fi
    softwareupdate -i "$clt"
    rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
    /usr/bin/xcode-select --switch /Library/Developer/CommandLineTools
fi

# Is homebrew already installed?
if [[ ! -e /usr/local/bin/brew ]]; then
    # Install Homebrew. This doesn't like being run as root so we must do this manually.
    logme "Installing Homebrew"

    mkdir -p /usr/local/Homebrew
    # Curl down the latest tarball and install to /usr/local
    curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C /usr/local/Homebrew

    # Manually make all the appropriate directories and set permissions
    mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/bin /usr/local/etc
    mkdir -p /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin
    mkdir -p /usr/local/share/zsh/site-functions /usr/local/var
    mkdir -p /usr/local/share/doc /usr/local/man/man1 /usr/local/share/man/man1
    chown -R "${consoleuser}":_developer /usr/local/*
    chmod -R g+rwx /usr/local/*
    chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions

    # Create a system wide cache folder  
    mkdir -p /Library/Caches/Homebrew
    chmod g+rwx /Library/Caches/Homebrew
    chown "${consoleuser}:_developer" /Library/Caches/Homebrew

    # put brew where we can find it
    ln -s /usr/local/Homebrew/bin/brew /usr/local/bin/brew

    # Install the MD5 checker or the recipes will fail
    su -l "$consoleuser" -c "/usr/local/bin/brew install md5sha1sum"
    echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' | 
    tee -a /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
    chown ${consoleuser} /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc

    # clean some directory stuff for Catalina
    chown -R root:wheel /private/tmp
    chmod 777 /private/tmp
    chmod +t /private/tmp
fi

# Make sure everything is up to date
logme "Updating Homebrew"
su -l "$consoleuser" -c "/usr/local/bin/brew update" 2>&1 | tee -a ${LOG}

# updating git
logme "Updating Git"
su -l "$consoleuser" -c "/usr/local/bin/brew upgrade git"

#forcing git version
logme "Forcing git version"
su -l "$consoleuser" -c "/usr/local/bin/brew link --force git"

# logme user that all is completed
logme "Installation complete"

exit 0

ooshnoo
Valued Contributor

@davidjess thanks for the script. Unfortunately it looks like it's not working and leaves the install of Git untouched, as the EA we used, which is listed above, still shows the version as being "Unsafe - 2.25.0"

EDIT... never mind. Fixed it!!! On line 113 I changed "brew install git" to "brew upgrade git"

davidjess
New Contributor III

Sorry, meant to come back along and post that change!

davidjess
New Contributor III

Noticed a small amount of machines not being able to update and complaining of a shallow cask - added a couple of lines to fix.

#!/bin/zsh

#################################################################################################   
#
# Created by: David Jess
# Date: 15 Mar 2021
#

# Requirements:
# macOS 10.14.0 or later
#
# Description: This script asks brew to patch Git to the latest version
#
#  
#################################################################################################

#################################################################################################

## VARIABLES

consoleuser="$(python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')"

## FUNCTIONS

### Check group permissions ###

function CheckGroup ()
{
# are we in the right group
check_grp=$(groups ${consoleuser} | grep -c '_developer')
if [[ $check_grp != 1 ]]; then
    /usr/sbin/dseditgroup -o edit -a "${consoleuser}" -t user _developer
    echo "Group changed"
else
    echo "Group ok"
fi
}

### Check if homebrew is installed

function CheckBrew ()
{

# Is homebrew already installed?
if [[ ! -e /usr/local/bin/brew ]]; then
    # Install Homebrew. This doesn't like being run as root so we must do this manually.
    echo "Brew not installed"
    echo "Installing Homebrew"

    mkdir -p /usr/local/Homebrew
    # Curl down the latest tarball and install to /usr/local
    curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C /usr/local/Homebrew

    # Manually make all the appropriate directories and set permissions
    mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/bin /usr/local/etc
    mkdir -p /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin
    mkdir -p /usr/local/share/zsh/site-functions /usr/local/var
    mkdir -p /usr/local/share/doc /usr/local/man/man1 /usr/local/share/man/man1
    chown -R "${consoleuser}":_developer /usr/local/*
    chmod -R g+rwx /usr/local/*
    chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions

    # Create a system wide cache folder  
    mkdir -p /Library/Caches/Homebrew
    chmod g+rwx /Library/Caches/Homebrew
    chown "${consoleuser}:_developer" /Library/Caches/Homebrew

    # put brew where we can find it
    ln -s /usr/local/Homebrew/bin/brew /usr/local/bin/brew

    # Install the MD5 checker or the recipes will fail
    su -l "$consoleuser" -c "/usr/local/bin/brew install md5sha1sum"
    echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' | 
    tee -a /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc
    chown ${consoleuser} /Users/${consoleuser}/.bash_profile /Users/${consoleuser}/.zshrc

    # clean some directory stuff for Catalina
    chown -R root:wheel /private/tmp
    chmod 777 /private/tmp
    chmod +t /private/tmp
else
    echo "Homebrew already installed"
fi

}

### Upgrade git and link

function UpgradeGit ()
{

# mitigation for shallow cask

su -l "$consoleuser" -c "/usr/local/bin/git -C "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-core" fetch --unshallow"
su -l "$consoleuser" -c "/usr/local/bin/git -C "/usr/local/Homebrew/Library/Taps/homebrew/homebrew-cask" fetch --unshallow"

# updating git
echo "Upgrading Git"
su -l "$consoleuser" -c "/usr/local/bin/brew upgrade git"

#forcing git version
echo "Forcing git version"
su -l "$consoleuser" -c "/usr/local/bin/brew link --force git"

}

################################################################################################

## MAIN SCRIPT

echo "Script Starting..."
echo "Checking group...."
CheckGroup
echo "Check if brew is installed..."
CheckBrew
echo "Starting Git Upgrade of git..."
UpgradeGit
echo "Script completed"
exit 0

nelreda
New Contributor

@davidjess -- thanks for posting your scripts. I'm using your EA to find machines that are running homebrew and need updating and noticed it doesn't seem to be playing nice on Big Sur/M1 machines. Just says "Not Installed" when it definitely is. My knowledge of homebrew installation/pathing and scripting unfortunately is too basic to figure out the issue. Works great on other machines. Any ideas?

**Update: Homebrew installs in the /opt directory on Big Sur as opposed to /usr/local Catalina (and probably Mojave) machines. So there's that

jonlju
Contributor

Apparently if you install Git using the binary (available in Sourceforge) it can't be found with the extension attribute, so have to look into that as well as some developers are using that installation.