Is the SourceTree Mac app susceptible to the recently exposed Sparkle vulnerability?

I was surprised to not find any reference to this issue on the support site.

4 answers

1 accepted

I was browsing other questions to find the ID of an Atlassian staff member, and found this question: https://answers.atlassian.com/questions/36117100

Which referenced this bug: https://jira.atlassian.com/browse/SRCTREE-3379

That does address the issue and the fix has been included in version 2.2 released today.

 

 

I upgraded to latest version 2.2. But still I am seeing that http protocol is being used for the AppCast xml .So I believe its still susceptable to MIMA.

I found this in a comment online: http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/

Here's how to list all apps that use Sparkle on your system, and what version they are using:

find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

You're looking for versions prior to 1.13.1 (as per https://github.com/sparkle-project/Sparkle/releases). These are vulnerable if they are set to load any assets over unsecured HTTP. Perhaps someone else can chine in on where those URLs can be found.

IF SourceTree doesn't use Sparkle, I'm not sure why they'd be expected to comment about it. To be fair, I don't use a Mac, so I can't check this myself. Maybe they do use Sparkle and should be more on top of the issue, idk.

I haven't looked into why that command doesn't pick it up but SourceTree looks to me to be using it. I have the latest version (2.1) installed and the value of CFBundleShortVersionString in the following file is 1.8.0:

/Applications/SourceTree.app/Contents/Frameworks/Sparkle.framework/

Versions/A/Resources/Autoupdate.app/Contents/Info.plist

0 vote
Der Lun Ooi Atlassian Team Feb 13, 2016

HTTP protocol works the same irregardless of which operating system you are using so short answer is yes you are vulnerable to man in the middle attack until you have upgraded to the fixed version that does not contain this vulnerability.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published May 30, 2018 in Sourcetree

Tip from the team: configuring Git or Mercurial in Sourcetree

Supported Platforms macOS Windows To make using Sourcetree as simple yet powerful as possible we embed (bundle) dependencies such as Git, Git LFS, and Mercurial. We strive to keep these...

570 views 1 2
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you