Git releases updates to fix two critical remote code execution vulnerabilities and a third vulnerability affecting Git’s GUI on Windows – Developpez.com

Git releases updates to fix two critical remote code execution vulnerabilities and a third vulnerability affecting Git’s GUI on Windows – Developpez.com

Git releases updates to fix two critical remote code
Git has fixed two critical vulnerabilities that could allow attackers to execute arbitrary code after successfully exploiting heap-based buffer overflow vulnerabilities. Additionally, a third Windows-specific vulnerability affecting Git’s GUI tool, caused by a vulnerability in the untrusted search path, allows unauthenticated attackers to perform low-complexity attacks on untrusted code. Users are advised to update to the latest version, especially if they are using “git archive” or Git GUI on Windows.

In a blog post published on Wednesday, the Git team notes that the first two vulnerabilities affect Git’s commit formatting mechanism and the .gitattributes parser, respectively. The first bug (CVE-2022-41903) can be exploited to perform arbitrary writes to the heap, while the second (CVE-2022-23521) can also be exploited to perform arbitrary reads. Both errors can cause arbitrary code execution, so users should update immediately. Both issues were also discovered during an X41 review of the Git code base.

1674081577 69 Git releases updates to fix two critical remote code

The most severe issue discovered allows an attacker to trigger heap-based memory corruption during clone or pull operations, which could lead to code execution. Another critical bug allows code to run during a check-in operation, commonly performed by git forges, X41 security researchers said. This audit was sponsored by OSTIF (Open Source Technology Improvement Fund). Patches were written by engineers from the GitLab Security Research Team, GitHub engineers, and mailing list members git security.

According to the Git team, the Windows-specific issue (CVE-2022-41953) is a search for $PATH including the current working directory that can be exploited to execute arbitrary code when cloning repos using Git’s GUI . Below is more information on vulnerabilities and fixes.

CVE-2022-41903

The first set of updates affects Git’s commit formatting mechanism, which is used to display arbitrary information about commits, as in git log –format. When processing one of the padding operators (e.g. %<(, %>(, etc.) a large shift may result in an integer overflow. This error can be thrown directly via git log –format .

It can also be triggered indirectly via Git’s export-subst mechanism, which applies formatting modifiers to selected files when using the Git archive. This integer overflow can cause random reads and writes to the heap, which can lead to remote code execution.

CVE-2022-23521

Git attributes (.gitattributes) are used to define unique attributes that correspond to paths in your repository. These attributes are defined by one or more .gitattributes files in your repository. The parser used to read these files has several integer overflows that can occur when parsing a large number of patterns, a large number of attributes, or attributes with names that are too long. These overflows can be triggered by a malicious .gitattributes file.

However, Git automatically splits 2KB rows when reading .gitattributes from a file, but not when parsing from the index. Successful exploitation of this vulnerability depends on the location of the affected .gitattributes file. As in the previous case, this integer overflow can result in random reads and writes to the heap, which can lead to remote code execution.

CVE-2022-41953

After cloning a repository, the Git GUI automatically applies some post-processing to the resulting checkout, including running a spell check if available. A Windows-specific vulnerability causes the Git GUI to look for the spell checker in the newly checked out working tree, which may lead to the execution of untrusted code.

Update to the latest version of Git

In any case, according to the team, the most effective defense against attacks that try to exploit these vulnerabilities is to update to the latest version of Git (v2.39.1). If you can’t upgrade right away, reduce your risk by taking the following steps:

  • Avoid calling the –format mechanism directly with known operators, and avoid running Git archives in untrusted repositories;
  • If you make the Git archive available via the Git daemon, consider disabling it when working with untrusted repositories by running git config –global daemon.uploadArch false;
  • Avoid using the Git GUI on Windows when cloning untrusted repositories.

Source: GitHub

And you?

NVIDIAs NeRF AI can reconstruct a 3D scene from a What is your opinion on the topic?

See also

NVIDIAs NeRF AI can reconstruct a 3D scene from a GitHub Copilot, the AI-based programming assistant, is being fired at by critics. A developer claims that he has copyrighted many parts of his code

NVIDIAs NeRF AI can reconstruct a 3D scene from a A teacher points to GitHub Copilot as the perfect tool for cheaters in coding assessments, raising fears that AI will wipe out the developer profession

NVIDIAs NeRF AI can reconstruct a 3D scene from a GitHub will now use the term main instead of master to denote the default branch of projects, thereby breaking down racial stereotypes on the platform