Apple this week announced a security update for the Xcode macOS development environment, to resolve three Git vulnerabilities, including one leading to arbitrary code execution.
The first of the issues, CVE-2022-29187, is a variant of CVE-2022-24765, a bug impacting users on multi-user machines, where “a malicious actor could create a .git directory in a shared location above a victim’s current working directory.”
An attacker could exploit the flaw to create configuration files in the malicious .git directory and, by using specific variables, could achieve arbitrary command execution on the shared machine.
“An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository,” the vulnerability’s description reads.
The bug impacts all Git versions prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5. With the latest version of Xcode, Apple updated Git to version 2.32.3, which resolves ‘multiple issues’.
Now rolling out to macOS Monterey 12.5 and later as version 14.1, the latest Xcode iteration also resolves CVE-2022-39253, a security defect that could lead to information leaks.
The issue exists because of Git’s behavior when performing local clones and can be exploited by tricking a victim into cloning a repository that contains a symbolic link pointing at sensitive information on the victim’s system.
Tracked as CVE-2022-39260, the third Git vulnerability resolved in Xcode this week could lead to arbitrary code execution when git shell – which supports Git’s push/pull functionality via SSH – is allowed as a login shell.
A fourth vulnerability addressed in Xcode 14.1 impacts the IDE Xcode server. Tracked as CVE-2022-42797, the issue could allow malicious applications to gain root privileges.