4

In December everyone and his grandmother were talking about CVE-2014-9390 and we were all busy installing the git maintenance releases.

Looking at my Xcode installment today - 41 days later - I still see a version 1.9.3 (Apple Git-50) from October lurking in /Applications/Xcode.app/Contents/Developer/usr/bin/.

Apple did update git in Xcode 6.2 beta 3. But apparently they didn't bother updating their current "golden master build".

So, if you are using Xcode's built-in git services, you are still working with a vulnerable version. What is the recommended approach in this situation? Delete the file?

armin
  • 141
  • 1

1 Answers1

1

Since the exploit is triggered only when you pull from untrusted repositories, and Apple has not released patches for previous XCode versions, you have two options:

  1. Jump to the beta branch.

  2. Do not pull from untrusted repositories. GitHub repos are safe, because they explicitly disallow repositories containing the exploit. Update internal git servers, and inspect unknown repositories before pulling.

Edit (3/10/15): As of today, upgrading to XCode 6.2 is an option! The new release fixes this option (see APPLE-SA-2015-03-09-4)

Ohnana
  • 4,717
  • 2
  • 25
  • 39