Hacker News new | past | comments | ask | show | jobs | submit login

Then you will get caught by some GUI that uses /usr/bin/git. Be aware changes to PATH in your shell startup files do not affect graphical applications at all.

Just installing git from Homebrew or MacPorts is not enough to be safe from this remote code execution.




Yosemite and El Capitan prioritize /usr/local/bin over /usr/bin, so if you install the latest version of git via Homebrew, you're mostly okay. If you're using Mavericks or older, it is as described above.

That said, any program that invokes /usr/bin/git directly instead of /usr/bin/env git would still be vulnerable.

It's not as big of a problem as the article makes it out to be so long as you install a newer version of git.

If you're really concerned, the filesystem restrictions mentioned can be bypassed by booting into safe mode. Though it's still not a good idea to mess with the default program installations since Apple may depend on that particular version of git for some program.


Does it come pre-installed? I thought it came only with XCode Command-Line Tools. Which personally I don't have (anything I use is from Homebrew).

If it is there without XCLT, then anyone reading this is more than capable of removing it, and dealing with anything that subsequently can't find it.


The article made it look like you were basically fucked. I stopped using guis for git about a week into starting using git. Just avoid guis, use homebrew, and you'll avoid this problem.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: