GitLab Patches Two Critical Remote Code Execution Vulnerabilities

GitLab has issued patches for two critical severity security flaws in Git that could allow perpetrators to exploit integer overflows and execute arbitrary code remotely.

The flaws, tracked as CVE-2022-41903 and CVE-2022-23521, were fixed in yesterday’s release that covers new versions of Git issued since v2.30.7.

CVE-2022-41903

The first vulnerability affects the service’s commit formatting component that allows the display of commits using arbitrary formats. Processing padding operators could cause an integer overflow. The event can be triggered directly by users invoking the commit formatting mechanism through a command or indirectly by git archive’s export-subst attribute.

Once the overflow occurs, it may lead to arbitrary heap writes, which could let threat actors perform remote code execution (RCE). Although upgrading to the latest patched version is the recommended fix, users who are unable to do so can also disable or avoid running git archive in untrusted repositories.

CVE-2022-23521

The second security flaw affects Git’s gitattributes parsing mechanism, which allows for defining path attributes. Parsing gitattributes could lead to multiple integer overflows in various situations, such as:

• Huge number of attributes for single patterns
• Declared attribute names exceed the regular length
• Outstanding number of path patterns

Crafted “.gitattributes” files included in the commit history could trigger the overflows, as Git doesn’t split lines longer than 2KB when parsing gitattributes from the index. As with the other vulnerability, the overflow caused by CVE-2022-23521 may lead to arbitrary heap reads and writes, which facilitates RCE.

To address the issue, users should install the latest patched version of Git, which covers versions going back to v2.30.7.