Contents:
In their latest update, Git has patched two new security flaws, both of them with a critical level of security. If left unpatched, the vulnerabilities could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses.
Git Update Details
On January 17th, Git released versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). The company strongly recommends upgrading to one of these versions as they contain important security fixes.
The vulnerabilities patched are CVE-2022-41903 and CVE-2022-23521. The first vulnerability has been identified by Joern Schneeweisz of GitLab and it affects the “git-log” command, which has the ability to display commits using an arbitrary format with its “—format” specifiers.
An integer overflow can occur in “pretty.c::format_and_pad_commit()” when processing padding operators. A user who executes a command that uses the commit formatting machinery, such as “(e.g., git log —format=…),” can cause an overflow to occur. The “export-subst” mechanism, which expands format specifiers inside of files within the repository during a git archive, may also be used to indirectly activate it.
This integer overflow may lead to unauthorized heap writes and the execution of remote code.
Vulnerability CVE-2022-23521 was discovered by X41 researchers, and it affects “gitattributes”, which are a mechanism used to allow defining attributes for paths. A “.gitattributes” file, which lists a list of file patterns and the attributes that should be set for paths matching these patterns, can be added to the repository to define these attributes.
Multiple integer overflows can happen when processing gitattributes when there are a lot of route patterns, a lot of attributes for a single pattern, or a lot of stated attribute names. The overflows can be triggered through a crafted “.gitattributes” file that may be part of the commit history. Any heap reads or writes as a result of this integer overflow could lead to the execution of remote code.
For more details on the vulnerabilities patched you can access GitLab’s update report here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.