Git has fixed two critical-severity security vulnerabilities that could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses.
A third Windows-specific flaw affecting the Git GUI tool caused by a weakness in the untrusted search path allows unauthenticated threat actors to execute low complexity attacks with untrusted code.
The first two vulnerabilities (CVE-2022-41903 in the commit formatting mechanism and CVE-2022-23521 in the .gitattributes parser) have been fixed on Wednesday in new releases going back to v2.30.7.
The third, tracked as CVE-2022-41953, is still awaiting a fix, but users can work around the issue by not using the Git GUI software to clone repositories or avoid cloning from untrusted sources.
Security experts from X41 (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) discovered these vulnerabilities as part of a Git security source code audit Sponsored by OSTIVE.
“The most severe issue discovered allows an attacker to trigger heap-based memory corruption during clone or fetch operations, which may lead to code execution. Another critical issue allows execution of code during a check-in operation, which is typically performed by Git forges.” X41 Security Experts said.
“In addition, a large number of integer-related issues have been identified, which can lead to denial of service situations, out-of-bounds reads, or simply mishandled corner cases on large inputs.”
|Flat rate||Affected Versions||Corrected versions|
|git for windows||<=2.39.0(2)||>=2.39.1|
|git||<= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0||>= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1|
Either way, the most effective way to defend against attacks attempting to exploit these vulnerabilities is to upgrade to the latest version of Git (v2.39.1).
Users who cannot immediately update to fix critical remote code execution bug CVE-2022-41903 can also take the following steps to ensure attackers cannot abuse the vulnerable Git feature :
- Disable ‘git archive’ in untrusted repositories or avoid running the command on untrusted repositories
- If ‘git archive’ is exposed via ‘git daemon’, disable it when working with untrusted repositories by running the command ‘git config –global daemon.uploadArch false’
“We strongly recommended that all installations running a version affected by the issues [..] are upgraded to the latest version as soon as possible,” GitLab warned.