Corrective releases of distributed source control system Git 2.39.1, 2.38.3, 2.37.5, 2.36.4, 2.35.6, 2.34.6, 2.33.6, 2.32.5, 2.31.6 and 2.30.7 have been published, in which eliminated two vulnerabilities that allow you to organize the execution of your code on the user’s system when using the “git archive” command and working with untrusted external repositories.
The vulnerabilities are caused by errors in the commit formatting code and the parsing of the “.gitattributes” file, which, when processing external repositories, can lead to writing to an off-heap memory area and reading arbitrary data from memory.
Both vulnerabilities were identified during a security audit of the Git codebase, conducted by X41 for the OSTIF (Open Source Technology Improvement Fund), created to strengthen the security of open source projects. In addition to the two critical issues discussed below, the audit also found one severe vulnerability, one medium severity vulnerability, and four non-hazardous issues. Also, 27 recommendations were made to improve the security of the codebase.
CVE-2022-41903: Integer overflow in commit information formatting code when handling large offset values in fill statements such as “%<(“, “%<|(“, “%>(“, “%>> (” and “%><( )”. An integer overflow occurs in the format_and_pad_commit() function due to the use of the int type for the size_t variable, which, when memcpy() is called, participates in determining the offset size of the copied block.
The vulnerability manifests itself both when directly called with specially designed formatting parameters (for example, when running “git log –format=…”), and when formatting is indirectly applied during the execution of the “git archive” command in a repository controlled by the attacker. In the second case, formatting modifiers are set via the export-subst parameter in the “.gitattributes” file, which can be placed by the attacker in his repository. The issue can be exploited to read and write arbitrary areas on the heap and lead to malicious code execution when working with unverified repositories.
CVE-2022-23521: Integer overflows when parsing the contents of “.gitattributes” files in a repository, resulting from the processing of a very large number of file path patterns or a large number of single-pattern attributes, and when parsing very large attribute names.
The problem can be exploited to read and write arbitrary areas on the heap and lead to attacker code being executed when working with an unverified repository, where an attacker could place a specially crafted .gitattributes file and ensure it gets into the index.
The publication of package updates in distributions can be tracked on the pages: Debian, Ubuntu, Gentoo, RHEL, SUSE, Arch, FreeBSD, NetBSD. To reduce the risk of an attack if an update cannot be installed in a timely manner, it is recommended to refrain from working with untrusted repositories and from using the “git archive” command.
It’s important to remember that the “git archive” command can be run implicitly, for example from within the git daemon. To disable running “git archive” in the git daemon, change the daemon.uploadArch parameter with the command “git config –global daemon.uploadArch false”.
Additionally, one more vulnerability (CVE-2022-41953) in the Git for Windows product can be noted, which allows organizing code execution when cloning unverified external repositories through the graphical interface.
The problem is caused by the fact that the Git GUI for Windows automatically runs some post-processing commands after the “checkout” operation, such as executing the spell-check program to check spelling, even though the spell-check file search paths cover the cloned working tree (attack comes down to adding spell-check to the working tree of the repository).