GitLab has issued patches for two critical severity security flaws in Git that could allow perpetrators to exploit integer overflows and execute arbitrary code remotely.
The first vulnerability affects the service’s commit formatting component that allows the display of commits using arbitrary formats. Processing padding operators could cause an integer overflow. The event can be triggered directly by users invoking the commit formatting mechanism through a command or indirectly by
Once the overflow occurs, it may lead to arbitrary heap writes, which could let threat actors perform remote code execution (RCE). Although upgrading to the latest patched version is the recommended fix, users who are unable to do so can also disable or avoid running
git archive in untrusted repositories.
The second security flaw affects Git’s
gitattributes parsing mechanism, which allows for defining path attributes. Parsing
gitattributes could lead to multiple integer overflows in various situations, such as:
Crafted “.gitattributes” files included in the commit history could trigger the overflows, as Git doesn’t split lines longer than 2KB when parsing
gitattributes from the index. As with the other vulnerability, the overflow caused by CVE-2022-23521 may lead to arbitrary heap reads and writes, which facilitates RCE.
To address the issue, users should install the latest patched version of Git, which covers versions going back to v2.30.7.