Apple Patches Two Flaws in Xcode's Git Implementation

Apple has updated its Xcode development environment, patching two vulnerabilities in its implementation of git.

Git is a version control system, and in March its handlers patched two flaws that exposed the software to remote code execution.

The new version of Xcode, 7.3.1, is available for El Capitain v 10.11 and later.

Apple said it updated git to version 2.7.4, patching a heap-based buffer overflow that occurred in the way it handled filenames.

Belgian researcher Mattias Geniar wrote about the git flaws in March, saying that the bug had the potential to be huge because it enabled server and client side remote cod execution.

“In order to push to a remote git repository, you need write access which for most git servers would require some kind of authentication / authorization first,” he wrote of potential server exploits. “However, for services like Bitbucket or Github where you can create or clone a repository without approval from an admin, the consequences could be bigger as anyone can attempt to trigger the vulnerability.”

On the client side, he said the flaw could be triggered by cloning a repository with large filenames.

“To clone a repository you just needs a local user account on a Linux or Windows machine with access to the git binary. This leaves the door wide open for, well, pretty much everyone,” he wrote. “If you allow users to execute arbitrary code on your servers, you could have a problem (think of PHP’s exec(), system(), … calls). Any system with local users that allows the execution of git client commands should be carefully watched.”

Xcode, meanwhile, was the center of some Apple trouble in September with the emergence of the XcodeGhost malware for iOS.

Hackers had managed to host a Trojanized version of Xcode, which is used to build apps for iOS and OS X. The code is freely available and a version of it hosted in China was modified with malware. Researchers at Palo Alto Networks sniffed out the trouble and determined that the malicious version of Xcode Ghost had been used for months to build legitimate iOS apps carrying the malware that were subsequently hosted in the App Store.