Cybersecurity researchers from X41 and GitLab has found three high-severity vulnerabilities within the Git distributed model management system.
The issues might have allowed risk actors to run arbitrary code on track endpoints by exploiting heap-based buffer overflow vulnerabilities, the researchers mentioned. Of the three flaws, two have already got patches lined up, whereas a workaround is obtainable for the third one.
The 2 vulnerabilities that had been patched are tracked as CVE-2022-41903 and CVE-2022-23521. Builders (opens in new tab) seeking to shield their gadgets ought to replace Git to model 2.30.7. The third one is tracked as CVE-2022-41953, with the workaround being not utilizing the Git GUI software program to clone repositories. One other strategy to keep secure, in line with BleepingComputer, is to keep away from cloning from untrusted sources altogether.
Patches and workarounds
“The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. Another critical issue allows code execution during an archive operation, which is commonly performed by Git forges,” the researchers said (opens in new tab) of their clarification of the incident.
“Additionally, a huge number of integer related issues was identified which may lead to denial-of-service situations, out-of-bound reads or simply badly handled corner cases on large input.”
Git has since launched a few further variations, so to be on the secure aspect, be sure to’re working the newest model of Git – 2.39.1.
BleepingComputer notes that people who can not apply the patch instantly ought to disable “git archive” in untrusted repositories, or keep away from working the command on untrusted repositories. Moreover, if “git archive” is uncovered through “git daemon”, customers ought to disable it when working with untrusted depositories. This may be achieved via the “git config –global daemon.upladArch false” command, it mentioned.
“We strongly recommend that all installations running a version affected by the issues [..] are upgraded to the latest version as soon as possible,” GitLab warned (opens in new tab).
By way of: BleepingComputer (opens in new tab)