Git Vulnerability Announced

Dec 20, 2014 1 minute read

A critical security vulnerability in Git (CVE-2014-9390) was announced yesterday. As LOOT and BOSS are affected by this, I’ll go over what this means for them and their users.

Essentially, the vulnerability means that if you use Git to download a repository that has been crafted in a certain way, it can lead to arbitrary code execution, ie. someone can hack your computer. LOOT and BOSS use Git to update their masterlists by downloading remote masterlist repositories, so they’re affected by this vulnerability.

The Good News

GitHub have said that they now scan for and block any specially-crafted repositories that can exploit the vulnerability. This means that it’s safe to access any repository on GitHub.

The official repositories that LOOT and BOSS use by default to update their masterlists are hosted on GitHub, so users are safe if they stick with them. Users are also safe if they use any other repository that is hosted on github.com.

The Bad News

LOOT and BOSS users can change their settings to use different repositories for updates. If a user changes their settings to point to a repository that is not on GitHub, then they may not be safe. At the time of writing, GitHub is the only popular host that has said it blocks malicious repositories.

What To Do

Users

If you’re not using the official repositories or any other repositories on GitHub to update your masterlist, either switch back to them or disable masterlist updating.

LOOT users can restore their default settings by deleting their %LOCALAPPDATA%\LOOT\settings.yaml file. BOSS users can restore their default settings by deleting their BOSS.ini file, which is found in the folder to which they installed BOSS.

Me

I ~~will release~~ have released a new beta of LOOT v0.7 this weekend to fix the vulnerability.

I will also be releasing a fix for LOOT v0.6, but this may take a little longer, as I haven’t looked at its codebase in a while, and there may be a few compatibility issues that need to be worked out. Update: I have now released LOOT v0.6.1 as an update to v0.6, which includes the vulnerability fix.

I will not be releasing any update for BOSS, as I haven’t been supporting it for a long time.