"Apple Rolls Out Xcode Update Patching Git Vulnerabilities"

Apple recently announced a security update for the Xcode macOS development environment to resolve three Git vulnerabilities, including one leading to arbitrary code execution.  The first of the issues, CVE-2022-29187, is a variant of CVE-2022-24765, a bug impacting users on multi-user machines, where "a malicious actor could create a .git directory in a shared location above a victim's current working directory."  Apple noted that an attacker could exploit the flaw to create configuration files in the malicious .git directory and, by using specific variables, could achieve arbitrary command execution on the shared machine.  Apple stated that the bug impacted all Git versions prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5.  With the latest version of Xcode, Apple updated Git to version 2.32.3, which resolves "multiple issues."  Apple noted that now rolling out to macOS Monterey 12.5 and later as version 14.1, the latest Xcode iteration also resolves CVE-2022-39253, a security defect that could lead to information leaks.  Tracked as CVE-2022-39260, the third Git vulnerability resolved in Xcode this week could lead to arbitrary code execution.  A fourth vulnerability addressed in Xcode 14.1 impacts the IDE Xcode server.  Tracked as CVE-2022-42797, the issue could allow malicious applications to gain root privileges.

SecurityWeek reports: "Apple Rolls Out Xcode Update Patching Git Vulnerabilities"