I was in this position just recently where git suddenly stopped working, due to needing a complete update of xcode tools. Annoying blocker but OK, let's get it done.
But trying to download the xcode tools put me into a loop which wasn't completing for some reason. After several attempts waiting for it to download and install I gave up and created an alias 'git' which points to my brew install of git (in usr/local/bin I think).
I'd like to point out, however, that installing a new version of git is not in any way blocked by either Microsoft or Apple. If you install git with homebrew, you get the newest version, which will take precedence over the Xcode variety unless you mess with your $PATH. Tricking you into using the old version would require execution rights on the machine. You can also remove the /usr/bin/* binaries if you boot the machine without the system integrity features. You can boot back to normal after the modification.
It is inconvenient that these dev tools are not updated frequently (bash, zsh, and many other command line tools are terribly out of date), but it is not terribly difficult to install a fresh version in parallel.
AIUI /usr/bin/git, and various other utilities, are tiny wrapper programs which will either 1) prompt you to install the Xcode Command Line Tools if they're not installed, or 2) redirect to the actual binary in the Xcode Command Line Tools if they are installed. This means that if you don't have them installed, instead of an error saying that bash can't find git, you get a nice graphical prompt telling you where to get it.
It can't be removed because it's a file that comes with OS X and is therefore covered by System Integrity Protection, which prevents you from deleting or tampering with system components, even as root.
If you do not have Xcode installed but do have the Command Line Tools, you will find the vulnerable git /Library/Developer/CommandLineTools/usr/bin/git
I did a `brew install git` and then deleted /Library/Developer/CommandLineTools/usr/bin/git. You can't delete /usr/bin/git even with sudo (system integrity policy).
After installing git via brew and removing the one in CommandLineTools, /usr/bin/git is showing the latest version.
me@local % git --version
git version 2.30.2
I don't know if this is recommended or if it will have negative consequences that i don't know about, but it seemed like the way I could accomplish it. Given that /usr/bin/git is working with the homebrew installed git, I'm hopeful that everything will be good.
Please note that you'll need git 1.7.10 or newer for this feature to work. I wasted almost an hour because I was using OS X's default git, which was 1.7.3 I think. I re-installed git from homebrew and now everything is fine.
git has had this behavior for at least a decade. As well, macOS does not ship with git - it's installed as part of either the Command Line Tools package and/or Xcode and is reasonably up to date.
For many years now, macOS has included what are effectively wrappers in /usr/bin for the various development tools and that use the xcode-select mechanism to run the actual command. If neither Xcode nor the CLT package are installed, you'll get a prompt to install the CLT package.
The claim you're making has been widely spread but is mistaken. /usr/bin/git is just a wrapper that execs the real git from /Applications/Xcode.app or /Library/Developer/CommandLineTools (depending on what you have installed), and some things will invoke the latter directly anyway; thus removing the wrapper is neither necessary nor sufficient to prevent exposure to the vulnerability.
Git going missing is likely to do with macOS updates. Since Apple moved to sealed system partition and "non-diff" os updates, each OS update comes as a unified whole package (often sized in the multiple gigs of data)
This wipes out the xcode-select installed git (because instead of "patching" the existing system, it just replaces the whole lot of it with whatever is in the archive). It leaves xcode alone (since that's in the Application folder), but any additional xcode command line tools gets wiped out by the OS update, and the system needs that reinstalled.
I ran into this with Intel based Macs running the beta 11.3 as well, so it's not necessarily an M1 issue.
Then you will get caught by some GUI that uses /usr/bin/git. Be aware changes to PATH in your shell startup files do not affect graphical applications at all.
Just installing git from Homebrew or MacPorts is not enough to be safe from this remote code execution.
Just wanted to say that I appreciate your message and edit. It's great that there are people who are willing to say 'ok, I am wrong'.
The suggestion of Kristine1975 upthread works though. /usr/bin/git just runs xcrun to run git from a command-line tools or Xcode installation. Since Xcode is a regular application:
Nah, the binary doesn't actually contain git. It's just a stub (in /usr/bin) that locates Xcode on the system (in /Applications/Xcode.app by default but configurable) and execs the real git binary from there. See also:
But trying to download the xcode tools put me into a loop which wasn't completing for some reason. After several attempts waiting for it to download and install I gave up and created an alias 'git' which points to my brew install of git (in usr/local/bin I think).
This will bite me somehow very soon, I'm sure.
reply