What Ivar said. This isn't really a problem if you only ever clone things from github, but it's a better reason than usual for updating our dependency versions so I fixed it on master anyway. We'll be sure to backport it so the next bugfix release of Julia will come with updated Git binaries. I would have updated the OSX binaries even further to the very latest 2.2.1 release of Git, except that I don't have a Mac to test on and I don't want to accidentally break Pkg in some obscure way. Staying within the 1.8 branch should be relatively safe, one would think, and there was a maintenance release for that branch that includes the fix for this vulnerability.
On Friday, December 19, 2014 1:23:42 AM UTC-8, Ivar Nesje wrote: > > This is indeed a serious bug, but Pkg is already a system for distributing > and executing arbitrary code, so it does not create any additional risk in > our context. Pkg executes anything it finds in `deps/build.jl`, and that is > a known and deliberate risc we take in order for packages to be able to > install binary dependencies. We need to trust the package author to not put > malicious code in his repo. Also almost all our packages are hosted on > github, and they know about the problem, are blocking new attempts, and is > scanning its existing repos for this exploit, so if you pull repos from > github you should be safe. > > There are good reasons to upgrade and it is great that the git community > takes this serious, but your time is probably better spent actually > reviewing the code you pull from random guys github repos than to worry > about the ability to own your system 10 seconds earlier because you get > hacked when typing > > > git clone > # instead of 10 seconds later, when you type > > make > > If you use git to access data, or to actually review code and diffs > *before* executing it, and you use OSX or Windows and a less serious git > host that Github, you should definitely update ASAP, but that's not a very > common case for Julia users of Pkg. > > Regards Ivar > > kl. 09:06:40 UTC+1 fredag 19. desember 2014 skrev Tomas Lycken følgende: >> >> Some of you may already have seen this, but a critical git security >> vulnerability has just been announced. In short, the vulnerability allows >> *arbitrary >> command execution on clients*, and affects *all case-insensitive file >> systems*. >> >> Github published a nice summary [1] with links to a whole bunch of client >> vendors who have released patches that fix this problem, as well as a >> little more details (and links to a lot more details) on what the problem >> was. >> >> I think it would be a good idea to update Julia to make sure that >> whatever git version Pkg uses isn't exposed, although I'm not quite sure >> what is required to do so. >> >> [1]: >> https://github.com/blog/1938-vulnerability-announced-update-your-git-clients >> >> // Tomas >> >
