Thursday, March 17, 2016

Git <= 2.7.3: Buffer Overflow Exploit Possible

According to Mattias Geniar, remote code execution via buffer overflow is possible in all git versions (client + server) < 2.7.1 (See: CVE-2016-2324, CVE-2016‑2315 or original post to the seclist by LaĆ«l Cellier). But in this post, it corrects that to say that the Git patch has not been incorporated as of 2.7.3- that change is only in master and it provides links to master and the patches.

In OS X, I just did this to get the latest- you might want to also:

brew update && brew upgrade git
However, as of 2016-03-17 that only updates to 2.7.3 which does not fix the problem, so you'll have to build master or download/patch yourself until homebrew is updated. Try it just in case, though, if you are reading this later.

Update!: As of 2016-03-18, Git 2.7.4 contains a fix. It can be downloaded from and elsewhere. The OS X Homebrew version/recipe was updated, so might want to do this:

brew update && brew upgrade git

No comments: