Update for Microsoft Visual Studio 2013 (KB3023302)
Download the update for Microsoft Visual Studio 2013 to fix an issue in Git.
For Team Foundation Server (TFS) products, the fix rejects any push (upload) that contains a file or path component that matches the ".git string. This prevents the injection of bad files into hosted repos.
For the Visual Studio client, the fix prevents any file from being checked out into the .git directory. This prevents repos that contain bad files from affecting the local user's computer.
This is an issue that manifests across the Git ecosystem and that is not unique to Microsoft support for Git repositories in our development platforms. Nevertheless, we took important, proactive steps to help make sure that Microsoft customers who use Git repositories are protected against this issue.
The issue that affects all Git clients was discovered by the core Git maintainers. The issue allows for the introduction of a file into a Git repo. The file is named in such a way that when a user downloads the changes in a remote repository, a specially crafted file could silently replace the user's config file. The user’s config file resides outside the repository. By replacing this file with a bad file, git commands can be remapped in order to execute arbitrary commands that run under the user's credentials.
Visual Studio 2013 and Visual Studio TFS 2013 are not directly affected by this issue. Visual Studio and TFS do not execute arbitrary commands from the .git metadata. However, checking out a repo that contains a specially crafted file could cause Visual Studio to overwrite portions of the .git metadata, exposing the Git for Windows command-line tools to the issue. TFS was proactively patched to prevent the spread of this issue.
Each local Git database is maintained on a disk in the repo's root folder in a hidden .git directory. When files are being checked out (for example, laid out on the local disk after downloading), a file that is named ".GIT/config" is placed inside the Git database. A case-insensitive comparison for ".git is partially responsible for this issue. Furthermore, the automatic handling of file paths on Windows platforms expands the affected file patterns to much more than the explicitly named ".GIT/config pattern.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.