Git security audit reveals critical overflow bugs

Revealed vulnerabilities encompass several high, medium, and low-severity issues.

A recent audit of Git’s source code has uncovered a number of vulnerabilities, including two critical overflow bugs.

The audit, which was sponsored by the Open Source Technology Improvement Fund (OSTIF) and conducted by X41 D-Sec alongside GitLab, highlighted several high, medium, and low-severity security issues.

Due to its widespread use and integration with popular packaging systems, these vulnerabilities pose a significant risk to the security of the software supply chain.

Malicious Clone Operations

The most critical vulnerability identified by researchers is a memory corruption bug that can occur when Git processes the attributes file of a repository. Developers utilize this file to control how Git manages various files and paths in repositories, including aspects like line endings and file encoding.

Researchers found that if the attributes file contained excessively long attribute lines or an abundance of entries, it could lead to a counter overflow during file parsing and potentially allow arbitrary code execution.

An attacker could take advantage of this vulnerability by committing a malicious attributes file to a repository. This flaw is triggered when the affected repository is accessed by the victim using certain Git commands.

Because this vulnerability does not require special commands to be executed on the victim’s machine, it could play a crucial role in sophisticated supply chain attacks.

“If attackers can stage this on a widely used library, they could impact the Git clients that utilize it, which may also include users of prevalent package systems,” said Markus Vervier, managing director at X41 D-Sec, during an interview with The Daily Swig.

This bug could also affect Git servers like GitHub or GitLab, according to Vervier, although he noted that both platforms have already implemented patches for it.

Attractive Yet Dangerous

The second critical vulnerability uncovered allows for code execution during archive operations commonly executed by Git forges such as GitHub and GitLab.

The Git commands can display commits using attractive formatting. However, if a particular format specifier pattern is engaged, integer overflow may occur in the pretty format parser when processing padding operators.

This overflow bug can be triggered directly by executing a specific command with the vulnerable specifier, or indirectly via a command called through the git mechanism.

Learn more about the latest DevSecOps news

An attacker can exploit this bug through argument injection in the affected command, confirmed GitLab security engineer Joern Schneeweisz in comments to The Daily Swig. However, he pointed out that the more intriguing attack vector was through the operation.

The attacker could insert a specific statement within the attributes file of a repository, causing the bug to trigger by executing a command without needing any injected arguments, Schneeweisz added.

“The payload would be completely contained within the repository, activated by calling a standard Git command,” Schneeweisz outlined. “Executing commands on arbitrary repositories is quite common on Git forges like GitLab or GitHub, making this mostly an RCE [remote code execution] threat.”

The Supply Chain Risk

Alongside the critical vulnerabilities, the researchers also identified numerous integer-related issues that could result in denial-of-service situations, out-of-bound reads, or poorly handled edge cases involving large inputs. Vervier emphasized the relevance of these findings to the security of software supply chains.

“Git serves as a primary supply chain attack vector in today’s IT environment, as it is extensively utilized across various package managers such as Rust/Cargo, Golang, NodeJS, and more. It remains the most prevalent tool for source code versioning in development,” he stated.

FURTHER READING Inside CircleCI: DevOps platform shares insights on recent breach