CVE-2023-29007 - Remote Code Execution Vulnerability in Git Due to Specially Crafted `.gitmodules` File

Git is a widely used revision control system for managing and tracking changes in source code. A recently identified vulnerability, CVE-2023-29007, affects Git versions prior to 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. This vulnerability can be exploited by an attacker to inject arbitrary configuration into a user's $GIT_DIR/config and potentially lead to remote code execution.

In order to exploit this vulnerability, an attacker needs to craft a .gitmodules file with submodule URLs that are longer than 1024 characters. This specially crafted file would exploit a bug in the config.c::git_config_copy_or_rename_section_in_file() function when attempting to remove the configuration section associated with the submodule.

Here is a sample code snippet demonstrating the vulnerability

int git_config_copy_or_rename_section_in_file(const char *config_filename,
                                              const char *old_name,
                                              const char *new_name,
                                              unsigned int flags)
{
    struct config_source top;
    struct config_source *src;
    int ret;

    top.u.file.path = get_extended_filename(config_filename);
    top.next = NULL;

    ret = config_source_file(&top, top.u.file.path, CONFIG_FLAGS_NONE);
    if (ret < )
        return ret;

    /* Here be dragons: exploitable bug */
    ...
}

The impact of this vulnerability can be severe, as the injected configuration values can specify executables to run, such as core.pager, core.editor, core.sshCommand, and more. As a result, it can lead to remote code execution on the affected system.

The vulnerability was patched in Git versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. Users should update to the latest Git version to protect their systems against this vulnerability.

For those who cannot immediately update Git, a temporary workaround is available. Users should avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Original references

1. Git Security Announcement
2. CVE-2023-29007 Detail
3. Git Release 2.40.1

Stay vigilant and ensure your Git software is up to date in order to safeguard your system from this remote code execution vulnerability (CVE-2023-29007).

Timeline

Published on: 04/25/2023 21:15:00 UTC
Last modified on: 05/04/2023 21:19:00 UTC