If you’ve been holding out on updating your SourceTree client, now might be the time to reconsider, with a “critical” vulnerability found in older versions of the program. Both Mac and Windows flavours are affected.
Here are the specific version numbers:
SourceTree for Mac 1.4.0 SourceTree for Windows 0.8.4b
The advisory from Atlassian doesn’t contain specifics on how the vulnerability works, but you can find information on the Common Vulnerabilities and Exposures website:
Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme.
It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.
You have two options — either update SourceTree to the latest version, or disable the
sourcetree://URI. Obviously, the former is recommend, however, if you’re in a situation where upgrading isn’t practical, follow these steps:
1. Locate the
HKEY_CLASSES_ROOTsourcetreekey in the registry.
2. Delete everything except the key itself.
3. Change the key permissions so no user has write access (untick “Full Control”).
SourceTree will attempt to regenerate the key on startup, hence the permissions change. For new versions, a checkbox is available that should prevent SourceTree from doing this.
SourceTree Security Advisory 2017-05-10 [Atlassian]