Is the SourceTree Mac app susceptible to the recently exposed Sparkle vulnerability?

I was surprised to not find any reference to this issue on the support site.

4 answers

1 accepted

I was browsing other questions to find the ID of an Atlassian staff member, and found this question: https://answers.atlassian.com/questions/36117100

Which referenced this bug: https://jira.atlassian.com/browse/SRCTREE-3379

That does address the issue and the fix has been included in version 2.2 released today.

 

 

I upgraded to latest version 2.2. But still I am seeing that http protocol is being used for the AppCast xml .So I believe its still susceptable to MIMA.

I found this in a comment online: http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/

Here's how to list all apps that use Sparkle on your system, and what version they are using:

find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

You're looking for versions prior to 1.13.1 (as per https://github.com/sparkle-project/Sparkle/releases). These are vulnerable if they are set to load any assets over unsecured HTTP. Perhaps someone else can chine in on where those URLs can be found.

IF SourceTree doesn't use Sparkle, I'm not sure why they'd be expected to comment about it. To be fair, I don't use a Mac, so I can't check this myself. Maybe they do use Sparkle and should be more on top of the issue, idk.

I haven't looked into why that command doesn't pick it up but SourceTree looks to me to be using it. I have the latest version (2.1) installed and the value of CFBundleShortVersionString in the following file is 1.8.0:

/Applications/SourceTree.app/Contents/Frameworks/Sparkle.framework/

Versions/A/Resources/Autoupdate.app/Contents/Info.plist

0 votes
Der Lun Ooi Atlassian Team Feb 13, 2016

HTTP protocol works the same irregardless of which operating system you are using so short answer is yes you are vulnerable to man in the middle attack until you have upgraded to the fixed version that does not contain this vulnerability.

Suggest an answer

Log in or Join to answer
Community showcase
Brian Ganninger
Published Jan 23, 2018 in Sourcetree

Tip from the team: workflow and keyboard shortcuts

Supported Platforms macOS Sourcetree has a lot to offer and, like many developer tools, finding and using it all can be a challenge, especially for a new user. Everyone might not love ...

256 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot