Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Issue affects Git integration in Visual Studio 2013 Update 4


View products that this article applies to.

Resolution

Update for Microsoft Visual Studio 2013 Update 4 (KB3023577)

Download the update for Microsoft Visual Studio 2013 Update 4 to fix an issue in Git.

 

 How the fix works

For Team Foundation Server (TFS), the fix rejects any push (upload) that contains a file or path component that matches the ".git" string. This prevents the introduction of bad files into hosted repos.

For the Visual Studio client, the fix prevents any file from being checked out into the .git directory. This, in turn, prevents repos that contain bad files from affecting the user's local computer.

↑ Back to the top


About the issue in Git

This is an issue that manifests across the Git ecosystem and that is not unique to Microsoft support for Git repositories in our development platforms. Nevertheless, we took important, proactive steps to help make sure that Microsoft customers who use Git repositories are protected against this issue.

The issue that affects all Git clients was discovered by the core Git maintainers. This issue allows for the introduction of a file into a Git repo. The file is named in such a way that when a user downloads the changes in a remote repository, a specially crafted file could silently replace the user's config file. The user’s config file resides outside the repository. By replacing this file with a bad file, git commands can be remapped in order to execute arbitrary commands that run under the user's credentials.

Impact on Visual Studio

Visual Studio 2013 and Visual Studio TFS 2013 are not directly affected by this issue. Visual Studio and TFS do not execute arbitrary commands from the .git metadata. However, checking out a repo that contains a specially crafted file could cause Visual Studio to overwrite portions of the .git metadata, exposing the Git for Windows command-line tools to the issue. TFS was proactively patched to prevent the spread of this issue.

↑ Back to the top


Cause

Each local Git database is maintained on a disk in the repo's root folder in a hidden .git directory. When files are being checked out (for example, laid out on the local disk after downloading), a file that's named ".GIT/config" is put into the Git database. A case-insensitive comparison for ".git" is partly responsible for this issue. Additionally, the automatic handling of file paths on Windows platforms expands the affected file patterns to much more than the explicitly named ".GIT/config" pattern.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: kbfix, kbsurveynew, atdownload, kb

↑ Back to the top

Article Info
Article ID : 3023577
Revision : 3
Created on : 6/13/2017
Published on : 6/13/2017
Exists online : False
Views : 356