-
Bug
-
Resolution: Fixed
-
Highest
-
1.4.0
-
None
-
Severity 1 - Critical
SourceTree for Mac is affected by a command injection vulnerability in URI handling. The vulnerability can be triggered through a browser or the SourceTree interface.
Affected versions:
- Versions of SourceTree for Mac starting with 1.4.0 before version 2.5.1 are affected by this vulnerability.
Fix:
- Upgrade SourceTree for Mac to version 2.5.1 or higher from https://www.sourcetreeapp.com/
Acknowledgements
We would like to credit Yu Hong for reporting this issue to us.
For additional details see the full advisory.
[SRCTREE-4738] Command Injection (CVE-2017-8768)
@Brian Ganninger Have you tried it also with the Info.plist modification as mentioned in step 1? I just re-tested this... it looks like if I modify the Info.plist to comment out the CFBundleURLTypes entry and I re-register SourceTree with LaunchServices using the following command, the URL scheme still doesn't trigger SourceTree:
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -v /Applications/SourceTree.app/
I also tried uncommenting the entry in Info.plist and un-registering then re-registering it and the URL Scheme once again triggers SourceTree. This seems to imply the URL scheme is permanently disabled by editing the Info.plist along with unregistering SourceTree unless I'm missing something?
Hi cmc,
Unfortunately, not at the moment. We support two versions of macOS and do not support older versions of SourceTree. As a best practice, we recommend updating to the most current version to get new features, bug fixes, and security patches. Thank you for reaching out.
Best,
Rahul
Product Manager | SourceTree
Any chance we'll see a release of SourceTree that fixes this bug for OS releases prior to 10.11?
murat619405784 That's just a bogus URL, not an actual exploit. If it was ST would alert you.
After upgrading to 2.5.1, the 'open sourcetree://test' command from terminal still makes SourceTree gain focus. Does this mean that the vulnerability isn't fixed, or is it still fixed by 2.5.1 in some other way?
Thanks
yat.so In my testing (10.11.6) this unregisters the application as a handler only until the next time it's launched; in addition it exhausts all handlers it can find on the system [that took me a bit to ferret out.] For active users this workaround won't suffice.
I might've found a workaround if I understand the bug correctly.
- Open /Applications/SourceTree.app/Contents/Info.plist and comment out CFBundleURLTypes (not sure if this is necessary, but this is just in case)
Should look like this:
<!--<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLName</key>
<string>SourceTree URL</string>
<key>CFBundleURLSchemes</key>
<array>
<string>sourcetree</string>
<string>github-mac</string>
</array>
</dict>
</array>--> - Open a Terminal.
- Confirm the SourceTree's URL scheme is bound.
- Run `open sourcetree://test`. SourceTree will open or gain focus.
- Run `open github-mac://test`. SourceTree will open or gain focus.
- Run:
/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -u /Applications/SourceTree.app/ - Confirm the SourceTree's URL scheme has been unbound.
- Run `open sourcetree://test`. You should see an error like:
The file <YOUR CURRENT DIRECTORY>/sourcetree:/test does not exist. - Run `open github-mac://test`. You should see an error like:
The file <YOUR CURRENT DIRECTORY>/github-mac:/test does not exist.
- Run `open sourcetree://test`. You should see an error like:
Sounds like this is a nasty bug that could be exploited as a drive by even if you are merely browsing the web and hopefully this mitigates the issue.
I don't want to upgrade my copy of SourceTree because I don't like the UI changes and bugs that have been introduced recently. What behaviors should I avoid to protect myself from this security vulnerability? "The vulnerability can be triggered through a browser or the SourceTree interface" is not very descriptive.
Ah yes I forgot about the app signature. If I understand your screenshot correctly, it looks like the later versions of SourceTree automatically checks the signature on launch? I guess my version of SourceTree is too old to even have that lol. I can manually verify that the signature validation fails though:
$ codesign -dv --verbose=4 /Applications/SourceTree.app/
/Applications/SourceTree.app/: invalid signature (code or signature have been modified)
Unfortunately I can't update SourceTree on my OSX version and I think I'd rather live with an incorrect signature than a potential drive-by exploit.
BTW, this is kind of off-topic but how do you @ mention correctly? Doesn't seem to work