System Integrity Protection prevents you from fixing vulnerabilities on your machine
-
https://rachelbythebay.com/w/2016/04/17/unprotected/
Osx prevents you from modifying binaries distributed with the OS. Git 2.6.4 is distributed with the OS. Git 2.6.4 has a remote code execution vulnerability.
Interesting that they were able to eventually find and chmod -x the git binary, stopping it from working. What good is SIP in the first place then?
-
@Buddy said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
What good is SIP in the first place then?
It's a phone thing, isn't it?
-
Well, maybe Apple backports security updates to the supplied version of Git? Just like Debian (stable) usually backports security fixes rather than moving to a new upstream version.
-
I remember once picking up a piece of malware on a work computer because the link I clicked on while a web page was loading moved, leading me to click on a tainted ad instead of the actual link I was trying to follow.
And then being stuck with the malware because "security software" wouldn't let me run the fix that would have removed it.
-
@Buddy said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
Git 2.6.4 is distributed with the OS. Git 2.6.4 has a remote code execution vulnerability.
Well, a quality OS vendor would have back-ported the security fix. I assume from your post that Apple has not. Then again, a quality OS vendor wouldn't ship Git with their OS, because it's garbage.
EDIT:
mini$ git --version
git version 2.6.4 (Apple Git-63)It looks to me like Apple's already at least modifying Git, which means they're probably back-porting fixes. Did this guy actually try the exploit?
-
@blakeyrat said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
Then again, a quality OS vendor wouldn't ship Git with their OS, because it's garbage.
I think it's shipped with the developer tools (as are a few other VCS clients, such as
svn
). Which sort-of makes sense I guess. It's still shit, of course…
-
@blakeyrat said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
Then again, a quality OS vendor wouldn't ship Git with their OS, because it's garbage.
No, a quality OS wouldn't ship git with their OS because it's not the sort of thing that belongs as part of an OS, regardless of quality.
-
@blakeyrat git is open source. Apple's patches to git are open source. According to random users on twitter who claim to have viewed that source, git-63 does not contain the fix.
-
@Buddy said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
According to random users on twitter who claim to have viewed that source, git-63 does not contain the fix.
Well...why didn't you just say so? There is no more credible source than "random users on Twitter".
-
@Polygeekery I already said its open source. You can look at the code yourself if you really want to know. Besides if Apple did fix a vulnerability in code they distribute, dont you think they would mention that?
-
@Buddy said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
You can look at the code yourself if you really want to know.
Pfffffbt. No thank you.
-
@dkf said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
I think it's shipped with the developer tools
Specifically the command line tools package for Xcode.
-
The problem here is not SIP. Its entire purpose is to prevent you (and your applications) from dicking with files the system deems to be part of the system.
The problem is:
Apple's failure to patch the damned thing in a timely manner.And possibly the misclassification of git as part of the system. It's not misclassified if anything that is part of the system uses it (I can't imagine why such a thing would exist, but I cannot rule it out)
So if xcode is part of the system (for instance, it hooks into the kernel at the low level or something) and you are prevented from dicking with xcode binaries, and xcode depends on git, git isn't misclassified.
-
@Weng yeah, I guess I could see it that way. Being prevented from dicking with the system isn't really my cup of tea, but that's what apple is all about. But if you're trusting apple to protect your system, something goes wrong with your system, it's Apple's fault.
Although I'm starting to think that, realistically, a remote code execution bug in git probably isn't as big of a deal as it may sound. If homebrew's repo, or any repo checked out by brew, is compromised they wouldn't need to exploit a vulnerability in git to get you to run their code, or why did you even install it in the first place?
-
@Buddy said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
if Apple did fix a vulnerability in code they distribute
and did so independent of a major OS re-release, I'd be astonished.
Apple's commitment to security theatre is second to none. To actual security, not so much. Bear in mind that this is the same firm whose Apple Account password policies declare
tvcpb.tmpdl.toxer.xskpi.chjvx
"too weak" whileApple123
is jes' fine.
-
@flabdablet said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
@Buddy said in System Integrity Protection prevents you from fixing vulnerabilities on your machine:
if Apple did fix a vulnerability in code they distribute
and did so independent of a major OS re-release, I'd be astonished.
Apple's commitment to security theatre is second to none. To actual security, not so much. Bear in mind that this is the same firm whose Apple Account password policies declare
tvcpb.tmpdl.toxer.xskpi.chjvx
"too weak" whileApple123
is jes' fine.And Apple123 is always somewhere at the beginning of brute-force lists. Well done, Apple.