Git - Critical Overflow bugs
Git has become the common and popular platform for source code management. Every developer resides on git to manage the code due to which it has become more prone towards various cyber attacks. A security audit of the source code for Git has revealed several vulnerabilities, including two critical overflow bugs which can be exploited by git clone and git archive command.
One of the most severe flaws that researchers had discovered was a memory corruption bug. It can occur when Git parses the .gitattributes file of a repository. .gitattribute is used by developers to customize different files and file paths in git repositories. A malicious .gitattributes file might be added to a repository, which would allow an attacker to take advantage of the flaw. The flaw would become active when the victim used git clone or git pull on the repository. Long attributes and many attribute lines in the .gitattribute file can lead to arbitrary code execution.
In addition to this, another critical bug was also discovered which would enable code execution during archive operations frequently carried out by Git forges like GitHub and GitLab. The overflow bug is activated when processing the padding operator, either directly by using the argument injection like --format specifier with the git log command or indirectly by using the export-subst mechanism to execute the git archive command. git log and git archive are used to display commits using pretty formatting.
Along with the serious flaws, the researchers discovered several integer-related problems that could result in denial-of-service attacks, out-of-bound reads, or simply badly handled corner cases on huge input.
Affected Versions :
<= v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2,v2.39.0.
Patched Versions :
>= v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, v2.39.1
The integer overflow allows an attacker to trigger arbitrary heap-based memory corruption.
Heaps can be read and written, which may result in remote code execution.
Upgrading to the most recently patched version published if possible.
For CVE-2022-41903 if upgrading seems impractical,
Disable the git archive implemented directly in untrusted repositories.
If git archive is exposed indirectly via git daemon, disable it by running git config --global daemon.uploadArch false