Resolution
Update for Microsoft Visual Studio 2013 Update 4 (KB3023577) Download the update for Microsoft Visual Studio 2013 Update 4 to fix an issue in Git.
How the fix works
For Team Foundation Server (TFS), the fix rejects any push (upload) that contains a file or path component that matches the ".git" string. This prevents the introduction of bad files into hosted repos.
For the Visual Studio client, the fix prevents any file from being checked out into the .git directory. This, in turn, prevents repos that contain bad files from affecting the user's local computer.About the issue in Git
This is an issue that manifests across the Git ecosystem and that is not unique to Microsoft support for Git repositories in our development platforms. Nevertheless, we took important, proactive steps to help make sure that Microsoft customers who use Git repositories are protected against this issue.
The issue that affects all Git clients was discovered by the core Git maintainers. This issue allows for the introduction of a file into a Git repo. The file is named in such a way that when a user downloads the changes in a remote repository, a specially crafted file could silently replace the user's config file. The user’s config file resides outside the repository. By replacing this file with a bad file, git commands can be remapped in order to execute arbitrary commands that run under the user's credentials.Impact on Visual Studio
Visual Studio 2013 and Visual Studio TFS 2013 are not directly affected by this issue. Visual Studio and TFS do not execute arbitrary commands from the .git metadata. However, checking out a repo that contains a specially crafted file could cause Visual Studio to overwrite portions of the .git metadata, exposing the Git for Windows command-line tools to the issue. TFS was proactively patched to prevent the spread of this issue.
Cause
Each local Git database is maintained on a disk in the repo's root folder in a hidden .git directory. When files are being checked out (for example, laid out on the local disk after downloading), a file that's named ".GIT/config" is put into the Git database. A case-insensitive comparison for ".git" is partly responsible for this issue. Additionally, the automatic handling of file paths on Windows platforms expands the affected file patterns to much more than the explicitly named ".GIT/config" pattern.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.