Stories
Slash Boxes
Comments

SoylentNews is people

posted by Blackmoore on Monday December 22 2014, @08:00PM   Printer-friendly
from the get-out-the-ddt dept.

Found on Ars Technica — "Critical Git bug allows malicious code execution on client machines":

Developers who use the official Git client and related software are being urged to install a security update that kills a bug that could allow attackers to hijack end-user computers.

The critical vulnerability affects all Windows- and Mac-based versions of the official Git client and related software that interacts with Git repositories, according to an advisory published Thursday. The bug can be exploited to give remote code execution when the client software accesses booby-trapped Git repositories.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Jeremiah Cornelius on Monday December 22 2014, @08:07PM

    by Jeremiah Cornelius (2785) on Monday December 22 2014, @08:07PM (#128449) Journal

    fail. ;-)

    --
    You're betting on the pantomime horse...
  • (Score: 2) by meisterister on Monday December 22 2014, @08:13PM

    by meisterister (949) on Monday December 22 2014, @08:13PM (#128455) Journal

    ...or has there been an uptick in the number of vulnerabilities reported for big FOSS projects? It's great that they're being uncovered, but why now and why in such volume?

    --
    (May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.
    • (Score: 2) by dyingtolive on Monday December 22 2014, @08:27PM

      by dyingtolive (952) on Monday December 22 2014, @08:27PM (#128462)

      I imagine the popularity breeds both a more average (lower) quality of code as well as a larger "audience" and thus more incentive to target.

      --
      Don't blame me, I voted for moose wang!
      • (Score: 2) by Nerdfest on Monday December 22 2014, @09:32PM

        by Nerdfest (80) on Monday December 22 2014, @09:32PM (#128481)

        I don't these vulnerabilities are found due to being targeted, or at least not that I'm aware of. I don't recall seeing 'active exploits' mentioned in any of them, but that could be just bad reporting. I think they're being discovered because people are actively looking for them more these days, especially after the SSL debacle.

        • (Score: 2) by dyingtolive on Monday December 22 2014, @09:36PM

          by dyingtolive (952) on Monday December 22 2014, @09:36PM (#128484)

          Your theory is more optimistic all around. I think I prefer it.

          --
          Don't blame me, I voted for moose wang!
    • (Score: 4, Interesting) by Blackmoore on Monday December 22 2014, @08:32PM

      by Blackmoore (57) on Monday December 22 2014, @08:32PM (#128464) Journal

      I think more eyes are looking into the FOSS projects due to the Heartbleed problem.

      In the end it turns out that a development team of TWO can barely keep up with updates; mush less audit their own code. And really - it's a good thing to get more people spotting and fixing theses things. Remember when a bug would be spotted in windows, and it would get fixed ... never? and then things got better?

    • (Score: 0) by Anonymous Coward on Monday December 22 2014, @09:49PM

      by Anonymous Coward on Monday December 22 2014, @09:49PM (#128493)

      After the OpenSSL fiasco people may've finally began looking for bugs instead of hoping other people look for bugs for them.

  • (Score: 2) by tibman on Monday December 22 2014, @08:56PM

    by tibman (134) Subscriber Badge on Monday December 22 2014, @08:56PM (#128471)

    Saw this yesterday. More of a trojan horse type thing (could be used with spear fishing?). Someone with windows or mac git software would have to clone a specific repository that contains the modified config. If someone has commit rights to a repository worth cloning and did something like this they would be exiled or something. File name collision is an interesting vulnerability though. That kind of stuff seems to come up a lot with mixed operating systems. Config==config in windows.

    --
    SN won't survive on lurkers alone. Write comments.
  • (Score: -1, Troll) by MichaelDavidCrawford on Monday December 22 2014, @09:40PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Monday December 22 2014, @09:40PM (#128486) Homepage Journal

    So of course he write Git in C.

    Perhaps had he written Git in C++, it wouldn't have this problem.

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 4, Informative) by tibman on Monday December 22 2014, @09:47PM

      by tibman (134) Subscriber Badge on Monday December 22 2014, @09:47PM (#128490)

      The vulnerability is really outside the project and lies with the filesystem. Git tries to write a file called abc and the filesystem overwrites a file called ABC. The language used is immaterial in this case. Good attempt at some kind of flamebait though : )

      --
      SN won't survive on lurkers alone. Write comments.
      • (Score: 1) by MichaelDavidCrawford on Monday December 22 2014, @09:51PM

        by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Monday December 22 2014, @09:51PM (#128494) Homepage Journal

        -systems.

        While it's true that the native Linux filesystems are case-sensitive, it supports lots of case-insensitive ones. Not just from Microsoft, also Apple HFS, HFS+, BeOS BFS and so on.

        --
        Yes I Have No Bananas. [gofundme.com]
        • (Score: 2) by pe1rxq on Monday December 22 2014, @09:56PM

          by pe1rxq (844) on Monday December 22 2014, @09:56PM (#128496) Homepage

          So first you accuse Linus of using the wrong language, now you accuse him of maintaining a kernel with support for to many filesystems????
          Are you aware that the operating systems which are vulnerable are macos and windows? Both of which do not run the linux kernel?

          What will be youre next try?

  • (Score: 0) by Anonymous Coward on Monday December 22 2014, @09:40PM

    by Anonymous Coward on Monday December 22 2014, @09:40PM (#128487)

    A story on a critical bug and it ISN'T about systemd??? I think Mr. Anonymous Coward is slacking off on his story submissions.

    • (Score: 2) by emg on Monday December 22 2014, @10:01PM

      by emg (3464) on Monday December 22 2014, @10:01PM (#128500)

      It's only critical on Windows and Mac, since no Linux distro I'm aware of uses a stupid case-insensitive filesystem. And I don't think systemd has infected Windows or Mac yet.

      • (Score: 0) by Anonymous Coward on Monday December 22 2014, @11:44PM

        by Anonymous Coward on Monday December 22 2014, @11:44PM (#128526)

        And I don't think systemd has infected Windows or Mac yet.

        I'm sure it's only a matter of time before someone lands a patch allowing systemd to replace svchost on windows. At which juncture, the systemd cabal will presumably subsume WIne and equilibrium will have been achieved.

  • (Score: 0, Offtopic) by MichaelDavidCrawford on Monday December 22 2014, @10:11PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Monday December 22 2014, @10:11PM (#128503) Homepage Journal

    If you want a bug fixed in just about any program, I would be happy to do it for quite a reasonable consulting fee.

    I'm not just blowing smoke; at Apple was a "Debug Meister", at Sony Ericsson Mobile Communications I was on the "Men in Black Team" for the XPeria Play. I was hired as Product Development Manager at Working Software because I told the owner I was a wizard with MacsBug.

    I used to do embedded work on target boards where my only "debugger" was a bank of eight leds, that I could toggle on and off by writing a byte into a specific (hard-wired) memory location.

    I once debugged a server hang with an oscilloscope - Physicists know how to do stuff like that - then actually fixed the bug with new serial cables, that had less capacitance. The original cables exhibited capacitive coupling - also known as parasitic capacitance - so our servers were trying to log in the garbled username that they received whenever they emitted the "SunOS login:" prompt, leading to a feedback loop that swamped their CPUs.

    I also make a pretty mean pasta sauce.

    If you'd like me to debug some code - not necessarily your code, if it's a Free Software codebase that you use, or that you care about - mail me at mdcrawford@gmail.com [mailto]

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 2, Funny) by Anonymous Coward on Monday December 22 2014, @11:02PM

      by Anonymous Coward on Monday December 22 2014, @11:02PM (#128519)

      I can text, drink, and carve a turkey in a high speed chase.

      I finished Minecraft. Twice.

      I can tell if a lie detector tells a lie.

      I've seen a peanut stand, and I've heard a rubber band. I've even seen a needle wink its eye.

      I can eat a Rubik's Cube and crap it out solved.

      I can touch MC Hammer.

      I once beat a scarecrow in a staring contest.

      • (Score: 1) by srobert on Tuesday December 23 2014, @12:42AM

        by srobert (4803) on Tuesday December 23 2014, @12:42AM (#128549)

        And do you also prefer Dos Equis?

      • (Score: 0) by Anonymous Coward on Tuesday December 23 2014, @12:43AM

        by Anonymous Coward on Tuesday December 23 2014, @12:43AM (#128550)

        Just To Watch Him Die.

      • (Score: 0) by Anonymous Coward on Tuesday December 23 2014, @06:09PM

        by Anonymous Coward on Tuesday December 23 2014, @06:09PM (#128718)

        If only you had a roundhouse kick. But sorry, You Are Not Chuck Norris.

      • (Score: 2) by cafebabe on Wednesday December 24 2014, @10:03PM

        by cafebabe (894) on Wednesday December 24 2014, @10:03PM (#129000) Journal

        I can eat a Rubik's Cube and crap it out solved.

        I've seen Bruce Schneier eat two Rubik cubes and crap out one solved and the other in the checkerboard pattern [wikihow.com].

        --
        1702845791×2
    • (Score: 0) by Anonymous Coward on Tuesday December 23 2014, @09:22AM

      by Anonymous Coward on Tuesday December 23 2014, @09:22AM (#128620)
      Dude, you really have to remember to take your meds.

      p.s. you may wish to update your sig too.