On the heels of
we are announcing another round of security updates to libgit2. Similar
to the prior vulnerability, an attacker can construct a git commit that,
when checked out, may cause files to be written to your
which may lead to arbitrary code execution.
When attempting to write into a directory, we will follow symbolic links
in the working directory, instead of removing the link and re-creating a
directory in its place. On a case insensitive filesystem, this allows
an attacker to produce a commit that creates a symbolic link to the
.git directory, then creates a file in a folder with a name that differs
only in case. The previously written symbolic link would then be followed,
and the file would be written in the
This vulnerability primarily affects Mac OS, as its filesystem, HFS+, is case insensitive by default and supports symbolic links. Git core is not affected by this vulnerability, nor are clients built on top of the git command-line interface.
In addition, GitHub for Mac was updated yesterday to include a fix for this issue.
A big thanks goes out to Jeff Hostetler, who found this vulnerability
while researching additional areas where we could write into
.git. Jeff is a new member of the Microsoft Visual Studio team who
comes to us with an enviable resume building version control systems
and developer tools in general.
Thanks also to GitHub and Microsoft for their continued support of libgit2. I am particularly pleased that Microsoft is willing to invest in finding and fixing bugs that only affect other platforms like Mac OS.