What to do about recent remote code execution vulnerability in git (on El Capitan)

The recent remote code execution bug in git looks pretty serious. The way I read this is that if I'm running a git client prior to 2.7.1, I'm susceptible to remote code execution if I use git to interact with a malicious (or compromised) repo. It seems like a manual upgrade of the git client is in order, but rootless prevents things like brew from working. (I'm currently on the latest stable Xcode 7.2.1)

What's the best way forward under El Capitan? Turn off rootless and install with brew? Install an updated git client from source? (latest stable binary appears to be prior to 2.7.1) Is there an updated git client in a newer version of Xcode?


Solution 1:

If you use Homebrew it's pretty easy:

brew upgrade git
which git
=> /usr/local/bin/git
git --version
=> git version 2.7.3

Done.

Solution 2:

Brew doesn't ever work to replace or patch an OS version - it's consciously designed to only put binaries beside those from Apple and not in place of.

If you want to make sure that no program calls Apple's /usr/bin/git or you don't call it, then these steps will accomplish that goal of hardening your 10.11 installs:

  1. Run OS X Recovery by holding down Command-R while the Mac is starting up.
  2. Use the Utilities menu to run Terminal
  3. csrutil disable
  4. reboot
  5. Enter single user mode by holding Command-S while the Mac is restarting.
  6. mount -uw /
  7. rm /usr/bin/git
  8. halt
  9. Repeat the OS X Recovery step and open Terminal and run csrutil enable
  10. reboot

At this point, the git from Apple is removed.

Search for other git binaries:

  • /Library/Developer/CommandLineTools/usr/bin/git is 2.5.4
  • /Applications/Xcode.app/Contents/Developer/usr/bin/git is 2.5.4

You are at very slight risk since you only ran without SIP in single user mode long enough to remove the one binary. You can also get git 2.7.4 from brew as of March 18, 2016 if you like:

brew install git
git --version

You'll want to watch all OS X updates to be sure they don't pop another copy of git that's patched lower than you wish. For most people, I would focus on only connecting to servers that are patched and/or known to be not malicious. Just having the git sitting there is low risk in my read of the situation.

Some other threads of interest:

  • Use downloaded Git instead of preinstalled Git
  • Security update for git on mac
  • How to properly update git on mac?