https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/ / Blog * Engineering * Product * Security * Open Source * Enterprise * Changelog * Community * Education * Company * Policy Free trial Contact sales Search by Keyword [ ] Search * Open Source * Security Git security vulnerabilities announced Git users are encouraged to upgrade to the latest version, especially if they use `git archive`, work in untrusted repositories, or use Git GUI on Windows. Git security vulnerabilities announced Author Taylor BlauTaylor Blau January 17, 2023 * * * Today, the Git project released new versions to address a pair of security vulnerabilities, CVE-2022-41903, and CVE-2022-23521, that affect versions 2.39 and older. Git for Windows was also patched to address an additional, Windows-specific issue known as CVE-2022-41953. The first two vulnerabilities affect Git's commit formatting mechanism and .gitattributes parser, respectively. The former can be used to perform arbitrary heap writes, while the latter can be used for arbitrary reads, too. Both may result in arbitrary code execution, so users should upgrade immediately. Both were also found as part of an audit of the Git codebase conducted by X41. This audit was sponsored by the Open Source Technology Improvement Fund (OSTIF). Fixes were authored by engineers from the GitLab Security Research Team, as well as GitHub Engineers, and members of the git-security mailing list. A complete copy of the report (along with a variety of issues that weren't deemed to have security implications) is available here. The Windows-specific issue involves a $PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI. CVE-2022-41903 The first set of updates concern Git's commit-formatting mechanism, used to display arbitrary information about commits, as in git log --format. When processing one of the padding operators (for example, %<(, %>(, etc.) an integer overflow can occur when a large offset is given). This vulnerability can be triggered directly via git log --format. It may also be triggered indirectly via Git's export-subst mechanism, which applies the formatting modifiers to selected files when using git archive. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. [source] CVE-2022-23521 gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by .gitattributes file(s) within your repository. The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names. These overflows may be triggered via a malicious .gitattributes file. However, Git automatically splits lines at 2KB when reading .gitattributes from a file, but not when parsing it from the index. Successfully exploiting this vulnerability depends on the location of the .gitattributes file in question. Like the above, this integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. [source] CVE-2022-41953 After cloning a repository, Git GUI automatically applies some post-processing to the resulting checkout, including running a spell-checker, if one is available. A Windows-specific vulnerability causes Git GUI to look for the spell-check in the worktree that was just checked out, which may result in running untrusted code. [source] Upgrade to the latest Git version The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.1. If you can't update immediately, reduce your risk by taking the following steps: * Avoid invoking the --format mechanism directly with the known operators, and avoid running git archive in untrusted repositories. * If you expose git archive via git daemon, consider disabling it if working with untrusted repositories by running git config --global daemon.uploadArch false. * Avoid using Git GUI on Windows when cloning untrusted repositories. In order to protect users against these attacks, GitHub has taken proactive steps. Specifically, we: * Scanned all repositories on GitHub.com to confirm that no evidence exists to conclude that GitHub was used as a vector to exploit any of these vulnerabilities. * Implemented mitigation steps to prevent GitHub.com from being used as an attack vector in CVE-2022-41903, and CVE-2022-23521. * Scheduled a GitHub Desktop release for later today, January 17, that prevents the exploitation of this vulnerability. * Scheduled updates to GitHub Codespaces and GitHub Actions to upgrade their versions of Git. * Scheduled updates to GitHub Enterprise Server^1 with patched versions of Git. Credit for CVE-2022-41903 goes to Joern Schneeweisz of GitLab. Credit for CVE-2022-23521 goes to Markus Vervier, and Eric Sesterhenn of X41 D-Sec, whose work was sponsored by OSTIF. Fixes were written by Patrick Steinhardt of GitLab, with additional help from members of the Git security mailing list. Credit for finding CVE-2022-41953 goes to Yu Chen Dong . --------------------------------------------------------------------- Download Git 2.39.1 Notes --------------------------------------------------------------------- 1. The updates will be present in GitHub Enterprise Server versions 3.3.19, 3.4.14, 3.5.11, 3.6.7, and 3.7.4. - Tags: * Git The GitHub Insider Newsletter Get the best of GitHub. Once a month. Directly to your inbox. Subscribe More on Git Highlights from Git 2.39 Highlights from Git 2.39 Another new release of Git is here to end the year! Take a look at some of our highlights on what's new in Git 2.39. Taylor Blau Git security vulnerabilities announced Upgrade your local installation of Git, especially when cloning with --recurse-submodules from untrusted repositories, or if you use git shell interactive mode. Taylor Blau The Story of Scalar New to Git v2.38, Scalar is a built-in repository manager for large repos. Here, we'll tell the story of how Scalar went from a rough VFS for Git successor to a fully-integrated Git tool, with all of the engineering lessons learned in the process. Derrick Stolee & Victoria Dye Related posts Dependabot alerts are now visible to more developers Product Dependabot alerts are now visible to more developers Default settings will allow developers with write and maintain access to see and resolve Dependabot alerts. Eric Tooley & Erin Havens Game Off 2022 winners Community Game Off 2022 winners All of the winners and some of the best games from Game Off 2022. Lee Reilly A smarter, quieter Dependabot Security A smarter, quieter Dependabot Dependabot is getting a little smarter--and, a little quieter--by reducing bot-based noise from repositories based on your interaction with Dependabot. Eric Tooley & Erin Havens Explore more from GitHub Open Source Open Source Gaming, Git, new releases, and more. The ReadME Project The ReadME Project Stories and voices from the developer community. Learn more GitHub Actions GitHub Actions Native CI/CD alongside code hosted in GitHub. Learn more Work at GitHub! Work at GitHub! Check out our current job openings. Learn more Subscribe to The GitHub Insider A newsletter for developers covering techniques, technical guides, and the latest product innovations coming from GitHub. [ ] Subscribe Product * Features * Security * Enterprise * Customer Stories * Pricing * Resources Platform * Developer API * Partners * Atom * Electron * GitHub Desktop Support * Docs * Community Forum * Training * Status * Contact Company * About * Blog * Careers * Press * Shop * GitHub on Twitter * GitHub on Facebook * GitHub on YouTube * GitHub on Twitch * GitHub on TikTok * GitHub on LinkedIn * GitHub's organization on GitHub * (c) 2023 GitHub, Inc. * Terms * Privacy