GitHub has acknowledged there's a flaw in its client software and recommended that users upgrade as soon as possible.
News of the flaw was announced at GMANE and GitHub has confirmed the existence of the flaw and issued a recommendation for “all users of GitHub and GitHub Enterprise to update their Git clients as soon as possible.”
The flaw means “ An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine.”
“Linux clients are not affected if they run in a case-sensitive filesystem,” the service's warning reads, but are nonetheless encouraged to upgrade. Windows and Mac OS users have no excuse not to upgrade, as “Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability.”
GitHub's de-fanged the attack by making sure that “repositories hosted on github.com cannot contain any of the malicious trees that trigger the vulnerability”.
All Git clients have been updated, but third party tools also need a tweak: the likes of Visual Studio can access GitHub in the non-useful ways the attack allows.
If today, as we expect might be the case for many readers, is your last day of work before a Christmas/New Year break, perhaps implementing and testing these updates will be the last thing you do all year. What a shame it would be if it consumed the whole day. ®