Git & Mercurial Security Updates

Published on December 19, 2014, by Brian


Vulnerabilities in both Mercurial and Git, on the client-side, have been identified which could allow an attacker to compromise user security on both Mac and Windows file systems.

In git, according to the git-blame blog, the issue is that you could potentially commit and checkout to any permutation of .GIT/<anything>, except.git/<anything>, and end up overwriting it. This is caused by case-insensitive file systems.

This vulnerability could then allow an attacker to compromise your repository because the next time you run git pull you would pull code from a malicious repo. On OSX, there is an additional issue due to certain Unicode codepoints being considered as ignorable.

For Mercurial users the release notes regarding the issue are here.

Having investigated both of these issues today, we are happy to say that neither affects your running instance of RhodeCode Enterprise. But, you should update your Git and Mercurial version on your workstations.

Git Server-Side

On RhodeCode Enterprise server-side there is no issue. The .git/config file is not parsed, as all the configuration and permission settings are managed by RhodeCode Enterprise, and not set in the Git repository.

Mercurial Server-Side

On RhodeCode Enterprise server-side there is also no issue. All the Mercurial configuration and permission settings are managed by RhodeCode Enterprise, and not set using Mercurial.

Client-Side

On your local machine, it is recommended that you update your version of git and/or mercurial. There won’t be an issue with running a different version server-side and you will have secured your local machine against a potential attack using this new vulnerability.