A source code audit has revealed two critical vulnerabilities affecting git, the popular distributed version control system for collaborative software development.
The latest git vulnerabilities
CVE-2022-41903 is an out-of-bounds memory write flaw in log formatting and CVE-2022-23251 is a truncated allocation leading to out-of-bounds write via large number of attributes. Both may result in remote code execution.
More technical info about each of the flaws can be found in this post by X41 D-Sec researchers experts Eric Sesterhenn and Markus Vervier. The two, along with GitLab security engineer Joern Schneeweisz, inspected git’s source code manually and with code analysis and fuzzing tools and uncovered 35 security issues in total.
Aside from the two critical issues, a high severity flaw (CVE-2022-41953) has also been patched in the Git GUI for Windows. This flaw was discovered by 俞晨东.
“The Windows-specific issue involves a $PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI,” GitHub software engineer Taylor Blau explained, and advised git users to avoid using the Git GUI on Windows when cloning untrusted repositories.
What should users do?
Windows, macOS and Linux/Unix users are advised to grab and implement the new git releases (v2.39.1).
“If you can’t update immediately, reduce your risk by taking the following steps: Avoid invoking the –format mechanism directly with the known operators, and avoid running git archive in untrusted repositories, and if you expose git archive via git daemon, consider disabling it if working with untrusted repositories by running git config –global daemon.uploadArch false,” Blau advised.
GitLab has also implemented the patches in v15.7.5, 15.6.6, and 15.5.9 of GitLab Community Edition (CE) and Enterprise Edition (EE), and recommends all GitLab installations to be upgraded to one of these versions as soon as possible.
GitHub has implemented mitigation steps to prevent GitHub.com from being used as an attack vector, updated the GitHub Dektop app with patches, and scheduled updates to GitHub Codespaces, GitHub Actions and GitHub Enterprise Server with patched versions of git.
Canonical has released new Ubuntu packages with the latest git version.
Improving git security
The git source code audit was organized by the Open Source Technology Improvement Fund (OSTIF), and other efforts to improve git security are underway, they noted.
“We will be releasing the results of those efforts as each of these projects is completed. This coalition of efforts is unified through our shared interests in git and the critical role that it plays in the open source world,” they added.
“Git is the world’s most widely used version control system, and it underpins not only open source, but the vast majority of public and private software development today. To say that git is infrastructure is an understatement, it reaches nearly every corner of software development and touches nearly every product that has software in one way or another.”
The researchers who performed the audit also offered recommendations for git developers: “The use of safe wrappers can improve the overall security of the software as a short term strategy. As a long term improvement strategy, we recommend to alternate between time-boxed code base refactoring sprints and subsequent security reviews.”