Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is the SourceTree Mac app susceptible to the recently exposed Sparkle vulnerability?

Ken Taylor1
Ken Taylor February 12, 2016

I was surprised to not find any reference to this issue on the support site.

Answer
Watch
Like # people like this
585 views

4 answers

1 accepted

1 vote
Answer accepted
Seth
Seth
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 12, 2016

I was browsing other questions to find the ID of an Atlassian staff member, and found this question: https://answers.atlassian.com/questions/36117100

Which referenced this bug: https://jira.atlassian.com/browse/SRCTREE-3379

View More Comments
Ken Taylor1
Ken Taylor February 16, 2016

That does address the issue and the fix has been included in version 2.2 released today.

 

 

Like
sachinhallad
sachinhallad February 17, 2016

I upgraded to latest version 2.2. But still I am seeing that http protocol is being used for the AppCast xml .So I believe its still susceptable to MIMA.

Like
Reply
0 votes
Der Lun
Der Lun
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 13, 2016

HTTP protocol works the same irregardless of which operating system you are using so short answer is yes you are vulnerable to man in the middle attack until you have upgraded to the fixed version that does not contain this vulnerability.

Reply
0 votes
Ken Taylor1
Ken Taylor February 12, 2016

I haven't looked into why that command doesn't pick it up but SourceTree looks to me to be using it. I have the latest version (2.1) installed and the value of CFBundleShortVersionString in the following file is 1.8.0:

/Applications/SourceTree.app/Contents/Frameworks/Sparkle.framework/

Versions/A/Resources/Autoupdate.app/Contents/Info.plist

Reply
0 votes
Seth
Seth
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 12, 2016

I found this in a comment online: http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/

Here's how to list all apps that use Sparkle on your system, and what version they are using:

find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

You're looking for versions prior to 1.13.1 (as per https://github.com/sparkle-project/Sparkle/releases). These are vulnerable if they are set to load any assets over unsecured HTTP. Perhaps someone else can chine in on where those URLs can be found.

IF SourceTree doesn't use Sparkle, I'm not sure why they'd be expected to comment about it. To be fair, I don't use a Mac, so I can't check this myself. Maybe they do use Sparkle and should be more on top of the issue, idk.

Reply

Suggest an answer

Log in or Sign up to answer
Sourcetree
Sourcetree
TAGS
AUG Leaders

Atlassian Community Events

    See all events