Git has released a patch for two severe remote code execution vulnerabilities tracked as CVE-2022-41903 and CVE-2022-23521. Both CVEs involve heap-based buffer overflows. CVE-2022-41903 is related to the “git archive” and “git log –format” functions in Git, while CVE-2022-23521 is related to the “.gitattributes” file for defining a set of file patterns and the attributes that should be set for paths matching the patterns. Both vulnerabilities were discovered by researchers at X41 and GitLab during a security audit.
Below are the affected and patched versions of git and git-for-windows:
- git-for-windows
- Vulnerable
- <= 2.39.0(2)
- Patched
- >= 2.39.1
- Vulnerable
- git
- Vulnerable
- <= v2.30.6
- <= v2.31.5
- <= v2.32.4
- <= v2.33.5
- <= v2.34.5
- <= v2.35.5
- <= v2.36.3
- <= v2.37.4
- <= v2.38.2
- <= v2.39.0
- Patched
- >= v2.30.7
- >= v2.31.6
- >= v2.32.5
- >= v2.33.6
- >= v2.34.6
- >= v2.35.6
- >= v2.36.4
- >= v2.37.5
- >= v2.38.3
- >= v2.39.1
- Vulnerable
Analyst Notes
The most effective way of mitigating these vulnerabilities is by upgrading to the latest Git release. In the event that upgrading Git is not possible, CVE-2022-41903 can be mitigated by:
• Disabling ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
• If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the ‘git config –global daemon.uploadArch false’ command
https://www.bleepingcomputer.com/news/security/git-patches-two-critical-remote-code-execution-security-flaws/
