CVE-2022-23521 - Integer Overflows in Git When Parsing Gitattributes: Remote Code Execution Risk

Git is a widely used distributed revision control system that allows developers to track changes in their projects. One of its features is the ability to define attributes for paths using .gitattributes files. However, a recently discovered vulnerability, CVE-2022-23521, shows that when parsing gitattributes, multiple integer overflows can occur under certain conditions, potentially leading to arbitrary heap reads and writes, and even remote code execution.

Exploit Details

CVE-2022-23521 details that when Git parses gitattributes, it can experience multiple integer overflows if:

The declared attribute names are huge.

These overflows can be triggered via a maliciously crafted .gitattributes file that may be part of the commit history. While Git does have a mechanism to silently split lines longer than 2KB when parsing gitattributes from a file, it does not do the same when parsing them from the index. As a result, the failure mode varies depending on whether the file exists in the working tree, the index, or both.

This integer overflow issue can lead to arbitrary heap reads and writes, posing a risk for remote code execution. This vulnerability has been assigned the CVE identifier CVE-2022-23521.

Affected Versions and Patch

The problem has been patched in the Git versions published on 2023-01-17, going back to v2.30.7. Users are strongly advised to upgrade their Git installations to the latest available version to fix this vulnerability. There are no known workarounds for this issue.

Original References

- Git Official Website
- CVE-2022-23521 - NVD
- Git Security Advisory

Here's an example .gitattributes file that could trigger this vulnerability when parsed

* huge_attribute_1 huge_attribute_2 ... huge_attribute_n
path_pattern_1 path_pattern_2 ... path_pattern_n

Keep in mind that the actual exploit file would require a much larger number of path patterns and attributes to trigger the integer overflows.

Conclusion

CVE-2022-23521 is a significant security threat to users of Git, as it could potentially result in remote code execution. To mitigate this risk, users should promptly upgrade their Git installations to a version that has the necessary patch applied. As always, it's crucial to maintain an up-to-date software environment and consistently monitor for the latest security advisories to stay protected from emerging threats.

Timeline

Published on: 01/17/2023 23:15:00 UTC
Last modified on: 01/26/2023 13:51:00 UTC