If you use Git or GitHub then you need to upgrade you Git client to avoid a potential security breach.
The problem affecting all versions of the Git client was announced yesterday. The vulnerability is trivial - an attacker can craft a Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository. This then causes the config file to execute any code that was supplied by the malicious repository. The config file can contain aliases for Git commands and hence the malicious config file can re-purpose Git commands for just about anything it wants to. This is the sense in which the attacker can execute almost any code they want.
The cause of the problem is that it is perfectly OK to have a .Git/config, or any other capitalization of .git/config as a file and as part of the repository and it is treated as a standard folder different from .git/config which is outside of the repository. However, OSX and Windows use case insensitive file systems and the result is that .Git/config is the same as .git/config and so copying it overwrites the original .git/config. If you are working with Linux or Unix, or any case sensitive operating system, then the Git client works as planned.
That is, on any operating system the Git client is "clever" enough to avoid copying .git/config in the repository over the real .git/config file, but it allows files like .Git/config to be copied and on those operating systems where case doesn't make a difference to file names the result is copying over .git/config.
If you are a bit surprised that such a stupid bug survived so long, then perhaps it is worth pointing out the Linux/Unix mind set is that different capitalizations are different symbols and Windows/OSX are both secondary to Linux.
Overall the risk isn't that great, because anyone wanting to make use of the defect would have to have commit rights to create the malicious repository and thus you would probably have to work with a public repository.
The solution is to install the latest versions of the Git client. There is also a problem with third party software that makes use of the libgit2 and JGit libraries and there are updates for these.
GitHub is also affected by the problem and, as well as advising people to install the latest client, it has instituted a verification procedure that makes sure that they are not hosting any trees that contain folders that just a recapitalization of .git/config. Thus there can be no malicious public repositories on GitHub.
The moral is if you write programs that assume case sensitivity make sure you allow for operating systems that don't.
More Information
Vulnerability announced: update your Git clients
Related Articles
Git and GitHub Top in Popularity Stakes
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
Apache Grails 7.0 Released
06/11/2025
A new major version of Grails has been announced, together with news of its graduation to an Apache top-level project.
Join The Protest Against The Closing Of Android
29/10/2025
It is taking a surprisingly long time for the importance of the move to effectively close Android to programmers not vetted by Google to sink in. It is effectively a checkmate move to thwart the dereg [ ... ]
- Europe Gets Its Own LLM
- Cursor 2 Enables Multi-Agent Working
- .NET 10, C# 14 and F# 10 Released Alongside Visual Studio 2026
- Robotic Gut Spider For Exploring Digestive Tract
- Next.js 16 Adds Cache Components
- GitHub Copilot CLI And Spaces In Preview
- AI Improves Devs Skills, Enhances Their Roles
- George Boole, Boolean Logic and Computing
- Google Tunix Hack Hackathon Now Open
- Linkerd Adds MCP Support
- .NET 10 Final Release Candidate Focuses On MAUI
- Exploring The Microsoft Agent Framework
- Scouting America Launches AI And Cybersecurity Badges
Comments
or email your comment to: comments@i-programmer.info