Jump to content
  • Git patches two critical remote code execution security flaws


    Karlston

    • 543 views
    • 2 minutes
     Share


    • 543 views
    • 2 minutes

    Git has patched two critical severity security vulnerabilities that could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow weaknesses.

     

    A third Windows-specific flaw impacting the Git GUI tool caused by an untrusted search path weakness enables unauthenticated threat actors to run untrusted code low-complexity attacks.

     

    The first two vulnerabilities (CVE-2022-41903 in the commit formatting mechanism and CVE-2022-23521 in the .gitattributes parser) were patched on Wednesday in new versions going back to v2.30.7.

     

    The third one, tracked as CVE-2022-41953, is still waiting for a patch, but users can work around the issue by not using the Git GUI software to clone repositories or avoid cloning from untrusted sources.

     

    Security experts from X41 (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found these vulnerabilities as part of a security source code audit of Git sponsored by OSTIF.

     

    "The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. Another critical issue allows code execution during an archive operation, which is commonly performed by Git forges," X41 security experts said.

     

    "Additionally, a huge number of integer related issues was identified which may lead to denial-of-service situations, out-of-bound reads or simply badly handled corner cases on large input."

     

    Package Affected versions Patched versions
    git-for-windows <=2.39.0(2) >=2.39.1
    git <= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, v2.39.0 >= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1

     

    In all cases, the most effective way to defend against attacks attempting to exploit these vulnerabilities is to upgrade to the latest Git release (v2.39.1).

     

    Users who cannot immediately update to address the CVE-2022-41903 critical remote code execution bug can also take the following measures to ensure that attackers cannot abuse the vulnerable Git functionality:

     

    • Disable 'git archive' in untrusted repositories or avoid running the command on untrusted repos
    • If 'git archive' is exposed via 'git daemon,' disable it when working with untrusted repositories by running the 'git config --global daemon.uploadArch false' command

     

    "We strongly recommend that all installations running a version affected by the issues [..] are upgraded to the latest version as soon as possible," GitLab warned.

     

     

    Git patches two critical remote code execution security flaws


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...