Secunia reports git 2.14.1.1 not secure


#1

I’m running Atom 1.20.1 x64 on Windows 10 Pro. Our local sysadmin runs the Secunia security scanner, which has flagged the version of git.exe included in my Atom distribution as insecure.

It does seem like problems with git would be in the Atom dev team’s wheelhouse, so I’m assuming that the 2.14.1.1 version of git.exe included in Atom 1.20.1 is no subject to the problems Secunia is complaining about. But explain that to the sysadmin…

Any idea when Atom will have an update for git.exe? Or is there a way to update an individual module buried in the Atom internals?

Thanks,
Doug


#2

In my experience, virus-claims against software developers are often based on false positives (and that says a lot about the quality of antivirus software!) In any case, it’s always a good idea to do a cross-check to be sure!

I did a quick check against Virus Total and 0 of 64 antivirus tools detected a threat. If your git.exe really is infected, the cause is likely elsewhere.


#3

I believe Secunia checks for outdated programs with potential security vulnerabilities, not for viruses.

I don’t know when Atom’s version of Git will be updated, though I can ask around and potentially get back to you.


#4

Yes, I believe you’re right about Secunia just looking for the outdated versions. Here’s the Secunia advisory that my sysadmin forwarded to me:

Description:
A vulnerability has been reported in GIT, which can be exploited by malicious users to compromise a vulnerable system.

  1. An error related to git-cvsserver can be exploited to inject and execute arbitrary shell commands via git-shell.

The vulnerability is reported in versions 2.14.x prior to 2.14.2, 2.13.x prior to 2.13.6, 2.12.x prior to 2.12.5, 2.11.x prior to 2.11.4, and 2.10.x prior to 2.10.5.

Solution:
Update to version 2.14.2, 2.13.6, 2.12.5, 2.11.4 or 2.10.5.

Provided and/or discovered by:

  1. joernchen, Phenoelit Group.

Original Advisory:
GIT:
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.2.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.13.6.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.12.5.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.11.4.txt
https://github.com/git/git/blob/master/Documentation/RelNotes/2.10.5.txt

joernchen:
http://seclists.org/oss-sec/2017/q3/att-534/git_cvsserver.txt

Other References:
https://github.com/git/git/commit/7451fcdc0d3cffdb9aa79d2651830b44a8e052d6


#5

A PR is now open to explicitly update Git to 2.14.2. https://github.com/atom/github/pull/1197


#6

Thanks, I’ll be on the lookout for the update.