Apple Fixes Code Execution Flaw in Xcode

Apple has released an update for its Xcode IDE that includes fixes for several security vulnerabilities, including one that leads to arbitrary code execution in some circumstances.

Three of the four bugs Apple fixed are in Git, including the remote code execution flaw. That vulnerability (CVE-2022-39260) is a heap overflow in the Git shell, which can be used as a login shell over SSH. In order for an attacker to gain code execution using this bug, the victim must be using Git shell as the login shell.

“Before executing commands, git shell splits the given string into an array with split_cmdline(). This function improperly uses an int to represent the number of entries (argc) in the argv array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting argv array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine,” the description of the bug says.

“Note that a victim must first allow access to git shell as a login shell, and allow interactive mode by having the $HOME/git-shell-commands directory present in order to be vulnerable to this attack.”

Xcode is Apple’s integrated development environment for software development on macOS.

One of the other vulnerabilities Apple patched is a separate issue in Git that can allow for the disclosure of sensitive information.

“When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source’s $GIT_DIR/objects directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via --no-hardlinks),” the vulnerability description says.

“A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim’s machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the --recurse-submodules option.”

Apple also fixed a serious vulnerability in its Xcode Server that can allow an application to gain root privileges. The fourth fix included in Xcode 14.1 addresses several other issues in Git.