Git Patches Two Vulnerabilities With Critical Security Level
GitLab Strongly Recommends the Update.
Last updated on October 5, 2023
In their latest update, Git has patched two new security flaws, both of them with a critical level of security. If left unpatched, the vulnerabilities could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses.
Git Update Details
On January 17th, Git released versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE). The company strongly recommends upgrading to one of these versions as they contain important security fixes.
An integer overflow can occur in “pretty.c::format_and_pad_commit()” when processing padding operators. A user who executes a command that uses the commit formatting machinery, such as “(e.g., git log —format=…),” can cause an overflow to occur. The “export-subst” mechanism, which expands format specifiers inside of files within the repository during a git archive, may also be used to indirectly activate it.
This integer overflow may lead to unauthorized heap writes and the execution of remote code.
Vulnerability CVE-2022-23521 was discovered by X41 researchers, and it affects “gitattributes”, which are a mechanism used to allow defining attributes for paths. A “.gitattributes” file, which lists a list of file patterns and the attributes that should be set for paths matching these patterns, can be added to the repository to define these attributes.
Multiple integer overflows can happen when processing gitattributes when there are a lot of route patterns, a lot of attributes for a single pattern, or a lot of stated attribute names. The overflows can be triggered through a crafted “.gitattributes” file that may be part of the commit history. Any heap reads or writes as a result of this integer overflow could lead to the execution of remote code.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.