Apple Patches Xcode, Fixing Severe Vulnerabilities

Apple tree has released a security update for its Xcode integrated development environment, patching two disquisitional flaws that led to remote code execution.

Apple patches disquisitional Xcode flaws

Xcode is a development environment containing a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software.

Addressing serious vulnerabilities in Xcode'due south git version control organization implementation, the fixes target the CVE‑2016‑2315 and CVE‑2016‑2324 vulnerabilities. Affecting version two.seven.3 and earlier of Git, the vulnerabilities are server and client-side remote code execution flaws. These flaws can tin be exploited by pushing or cloning a repository with large filenames or a large number of nested trees. While these vulnerabilities were patched in March with the release of Git two.vii.four, when users tried to install Xcode on OS X El Capitan, they received Git 2.6.iv, a version released back in December.

CVE‑2016‑2315 is a heap-based buffer overflow vulnerability "which allows remote attackers to execute arbitrary lawmaking via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow." CVE‑2016‑2324 is "server and client side remote code execution through a buffer overflow in all git versions before 2.7.1."

Security researcher Mattias Geniar wrote about these Git flaws in March, warning that these flaws could be exploited for remote execution. Writing of potential server and client side exploits, he said,

In order to push to a remote git repository, yous demand write access which for nigh git servers would require some kind of authentication / authorisation get-go. However, for services like Bitbucket or Github where you can create or clone a repository without approval from an admin, the consequences could be bigger as anyone tin can attempt to trigger the vulnerability.

To clone a repository you just needs a local user business relationship on a Linux or Windows machine with admission to the gitbinary. This leaves the door wide open for, well, pretty much everyone. If you let users to execute arbitrary lawmaking on your servers, you could have a trouble (think of PHP'due south exec(), organisation(), ... calls).

Any system with local users that allows the execution of git client commands should exist carefully watched.

Apple has now addressed both these problems and has updated Git to version 2.7.iv in Xcode seven.3.1. Users on Os X El Capitan 10.11 and subsequently tin download Xcode from here.