Git for Windows was also patched to address an additional, Windows-specific issue known as CVE-2022-41953.
The first two vulnerabilities affect Git’s commit formatting mechanism and
.gitattributes parser, respectively. The former can be used to perform arbitrary heap writes, while the latter can be used for arbitrary reads, too. Both may result in arbitrary code execution, so users should upgrade immediately. Both were also found as part of an audit of the Git codebase conducted by X41. This audit was sponsored by the Open Source Technology Improvement Fund (OSTIF). Fixes were authored by engineers from the GitLab Security Research Team, as well as GitHub Engineers, and members of the git-security mailing list.
A complete copy of the report (along with a variety of issues that weren’t deemed to have security implications) is available here.
The Windows-specific issue involves a
$PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI.
The first set of updates concern Git’s commit-formatting mechanism, used to display arbitrary information about commits, as in
git log --format. When processing one of the padding operators (for example,
%>(, etc.) an integer overflow can occur when a large offset is given).
This vulnerability can be triggered directly via
git log --format. It may also be triggered indirectly via Git’s
export-subst mechanism, which applies the formatting modifiers to selected files when using
This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.
gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by
.gitattributes file(s) within your repository.
The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names.
These overflows may be triggered via a malicious .gitattributes file. However, Git automatically splits lines at 2KB when reading
.gitattributes from a file, but not when parsing it from the index. Successfully exploiting this vulnerability depends on the location of the
.gitattributes file in question.
Like the above, this integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.
After cloning a repository, Git GUI automatically applies some post-processing to the resulting checkout, including running a spell-checker, if one is available.
A Windows-specific vulnerability causes Git GUI to look for the spell-check in the worktree that was just checked out, which may result in running untrusted code.
The most effective way to protect against these vulnerabilities is to upgrade to Git 2.39.1. If you can’t update immediately, reduce your risk by taking the following steps:
- Avoid invoking the
--formatmechanism directly with the known operators, and avoid running
git archivein untrusted repositories.
- If you expose
git daemon, consider disabling it if working with untrusted repositories by running
git config --global daemon.uploadArch false.
- Avoid using Git GUI on Windows when cloning untrusted repositories.
In order to protect users against these attacks, GitHub has taken proactive steps. Specifically, we:
- Scanned all repositories on GitHub.com to confirm that no evidence exists to conclude that GitHub was used as a vector to exploit any of these vulnerabilities.
- Implemented mitigation steps to prevent GitHub.com from being used as an attack vector in CVE-2022-41903, and CVE-2022-23521.
- Scheduled a GitHub Desktop release for later today, January 17, that prevents the exploitation of this vulnerability.
- Scheduled updates to GitHub Codespaces and GitHub Actions to upgrade their versions of Git.
- Scheduled updates to GitHub Enterprise Server1 with patched versions of Git.
Credit for CVE-2022-41903 goes to Joern Schneeweisz of GitLab. Credit for CVE-2022-23521 goes to Markus Vervier, and Eric Sesterhenn of X41 D-Sec, whose work was sponsored by OSTIF. Fixes were written by Patrick Steinhardt of GitLab, with additional help from members of the Git security mailing list.
Credit for finding CVE-2022-41953 goes to 俞晨东.
- The updates will be present in GitHub Enterprise Server versions 3.3.19, 3.4.14, 3.5.11, 3.6.7, and 3.7.4. ↩