Git patches two important distant code execution safety flaws
Git has patched two important severity safety vulnerabilities that would permit attackers to execute arbitrary code after efficiently exploiting heap-based buffer overflow weaknesses.
A 3rd Home windows-specific flaw impacting the Git GUI software attributable to an untrusted search path weak point permits unauthenticated menace actors to run untrusted code low-complexity assaults.
The primary two vulnerabilities (CVE-2022-41903 within the commit formatting mechanism and CVE-2022-23521 within the .gitattributes parser) have been patched on Wednesday in new variations going again to v2.30.7.
The third one, tracked as CVE-2022-41953, continues to be ready for a patch, however customers can work across the problem by not utilizing the Git GUI software program to clone repositories or keep away from cloning from untrusted sources.
Safety specialists from X41 (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) discovered these vulnerabilities as a part of a safety supply code audit of Git sponsored by OSTIF.
“Essentially the most extreme problem found permits an attacker to set off a heap-based reminiscence corruption throughout clone or pull operations, which could end in code execution. One other important problem permits code execution throughout an archive operation, which is usually carried out by Git forges,” X41 safety specialists mentioned.
“Moreover, an enormous variety of integer associated points was recognized which can result in denial-of-service conditions, out-of-bound reads or just badly dealt with nook circumstances on massive enter.”
| Package deal | Affected variations | Patched variations |
| git-for-windows | <=2.39.0(2) | >=2.39.1 |
| git | <= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0 | >= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1 |
In all circumstances, the best technique to defend in opposition to assaults trying to take advantage of these vulnerabilities is to improve to the newest Git launch (v2.39.1).
Customers who can not instantly replace to handle the CVE-2022-41903 important distant code execution bug may also take the next measures to make sure that attackers can not abuse the susceptible Git performance:
- Disable ‘git archive’ in untrusted repositories or keep away from operating the command on untrusted repos
- If ‘git archive’ is uncovered through ‘git daemon,’ disable it when working with untrusted repositories by operating the ‘git config –global daemon.uploadArch false’ command
“We strongly advocate that every one installations operating a model affected by the problems [..] are upgraded to the newest model as quickly as doable,” GitLab warned.
