GitLab has issued patches for two critical severity security flaws in Git that could allow perpetrators to exploit integer overflows and execute arbitrary code remotely.
The flaws, tracked as CVE-2022-41903 and CVE-2022-23521, were fixed in yesterday’s release that covers new versions of Git issued since v2.30.7.
The first vulnerability affects the service’s commit formatting component that allows the display of commits using arbitrary formats. Processing padding operators could cause an integer overflow. The event can be triggered directly by users invoking the commit formatting mechanism through a command or indirectly by git archive
’s export-subst
attribute.
Once the overflow occurs, it may lead to arbitrary heap writes, which could let threat actors perform remote code execution (RCE). Although upgrading to the latest patched version is the recommended fix, users who are unable to do so can also disable or avoid running git archive
in untrusted repositories.
The second security flaw affects Git’s gitattributes
parsing mechanism, which allows for defining path attributes. Parsing gitattributes
could lead to multiple integer overflows in various situations, such as:
Crafted “.gitattributes” files included in the commit history could trigger the overflows, as Git doesn’t split lines longer than 2KB when parsing gitattributes
from the index. As with the other vulnerability, the overflow caused by CVE-2022-23521 may lead to arbitrary heap reads and writes, which facilitates RCE.
To address the issue, users should install the latest patched version of Git, which covers versions going back to v2.30.7.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024