MMS • Sergio De Simone
Article originally posted on InfoQ. Visit InfoQ
Two vulnerabilities affecting Git’s commit log formatting and .gitattributes
parsing in Git versions up to and including Git 2.39 have been recently patched. Both may lead to remote code execution, so users are required to upgrade immediately to Git 2.39.1.
One of the vulnerabilities, which was discovered by Joern Schneeweisz of GitLab, received the CVE-2022-41903 CVE identifier. It affects the git log
command when using the --format
option to customize the log format:
When processing the padding operators (e.g., %<(, %(, %>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit()
where asize_t
is improperly stored as anint
, and then added as an offset to a subsequentmemcpy()
call.
The vulnerability can be triggered by running the git log --format=...
command supplying a malicious format specifiers. It can also be triggered indirectly by running the git archive
command using the export-subst
gitattribute, which expands format specifiers inside of files within the repository.
The other critical vulnerability, with identifier CVE-2022-23521, was discovered by Markus Vervier and Eric Sesterhenn of X41 D-Sec. It affects the gitattributes mechanism, which allows to assign specific attributes to paths matching certain attributes, as specified in a .gitattributes
file. Gitattributes can be used, for example, to specify which files should be treated as binary, what language to use for syntax highlighting, and so on.
When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted
.gitattributes
file that may be part of the commit history.
This vulnerability specifically requires that the .gitattributes
file is parsed from the index, since git splits lines longer than 2KB when parsing gitattributes from a file.
Both vulnerabilities have mitigations, which consists in not using the affected features, but the suggested solution is upgrading to the latest Git version.
Additionally, the Git project has also disclosed a Windows-specific high severity vulnerability affecting Git GUI. CVE-2022-41953 can be triggered when cloning untrusted repositories on a Windows system due to how Tcl, the language used to implement Git GUI, deals with search paths on Windows:
Malicious repositories can ship with an
aspell.exe
in their top-level directory which is executed by Git GUI without giving the user a chance to inspect it first, i.e. running untrusted code
This issue has also been fixed in Git 2.39.1.
GitHub has taken action to ensure all of the repositories it hosts are not affected and to prevent any of those attacks. They also announced updates to all of its products integrating Git, including GitHub Desktop, GitHub Codespaces, GitHub Actions, and GitHub Enterprise Server.