The Git community reported an issue that could possibly allow a developer’s machines to be taken over. This issue is not unique to Microsoft’s Git implementation or to Windows.
The main problem is with a file called config, which is inside your local Git repository. You will be able to find the file in the .git folder. If you inspect the file, it contains a number of personal/preference settings in addition to aliases for git commands.
Developer community has discovered a bug where various permutations of the .git folder name were not caught be the Git client’s filtering logic. These permutations include mixed case, gIT, Windows filename shortening .git~123, Ignorable Unicode codepoints .g\u200cit\config.
Hence, if someone pushed a malicious config file with one of these permutations, Git clients of other developers would check them out, thus overwriting their personal config file and hijacking their Git commands.
The bug will affect Windows NTFS and Mac OS X HFS+ filesystems both of which are case insensitive filesystems.
Microsoft in association with other members of the Git community have worked together to provide fixes for the above mentioned issue
(1) Applied a patch to VS Online, TFS 2013 (both RTM and Update 4) and Codeplex that prevents the server from accepting pushes of .git\config files. There were no reported issues with the server but the patch was applied to reduce the possibility of any unpatched client from being exploited from one of our services.
If you are using TFS 2013 Update 1, 2 or 3 then you will need to upgrade to Update 4 before applying the patch.
(2) Microsoft released patches for Visual Studio 2013 RTM, Visual Studio 2013 Update 4 and for our Visual Studio 2012 VSIX extension to enable customers to patch their clients before the possible occurance of this issue.
(3) Microsoft also worked with the developer community to patch the LibGit2 open source library that many of us share as the core of our Git implementations.
