Recently identified vulnerabilities encompass a range of high, medium, and low-security issues.
A security review of the Git source code has uncovered multiple vulnerabilities, including two critical overflow bugs.
This audit, conducted by X41 D-Sec under the sponsorship of the Open Source Technology Improvement Fund (OSTIF), reveals several high, medium, and low-severity issues.
Considering Git’s widespread use and integration with popular packaging systems, these vulnerabilities have the potential to significantly affect software supply chain security.
Critical Clone Vulnerability
The most critical flaw identified by researchers is a memory corruption bug activated during Git’s parsing of repository files. Developers utilize these files to configure how Git processes various file types and paths, including line endings and encodings.
It was found that an excessively long attribute line or a large number of attribute lines could trigger a counter overflow in the file parsing function, resulting in arbitrary code execution.
An attacker could exploit this vulnerability by submitting a malicious file to a repository; the bug would come into play when the victim executed certain Git commands on the repository.
Crucially, since the bug does not require any special arguments or commands from the victim’s machine, it could potentially facilitate severe supply chain attacks.
Markus Vervier, the managing director at X41 D-Sec, stated, “If attackers were to target a widely used library, they could impact all Git clients relying on it, indirectly affecting anyone using standard package systems to acquire software.”
The vulnerability could also pose risks to Git hosting services such as GitHub and GitLab, though Vervier noted that both platforms have already implemented patches.
Vulnerable Git Operations
The second critical issue discovered allows code execution during the archive operations typically conducted by Git platforms like GitHub and GitLab.
The git log and git show commands can present commits using custom formatting. An integer overflow is possible in the pretty format parser, triggered by a specific pattern of formatting specifiers when processing these commands.
The exploit is activated directly through the inappropriate usage of a formatting specifier with the git show command or indirectly when this command is called with a related mechanism.
GitLab security engineer Joern Schneeweisz confirmed that an attacker could initiate this vulnerability through argument manipulation in the respective commands. However, he highlighted a more novel attack vector involving Git operations.
By embedding a problematic statement within a file in the repository, the bug could be triggered solely through a standard command, without relying on injected arguments, Schneeweisz elaborated.
“The malicious code would reside within the repository and activate upon executing the command,” Schneeweisz explained. “Executing commands on arbitrary repositories is a common operation for Git platforms, thus making this a significant risk regarding remote code execution.”
Supply Chain Implications
In addition to these critical vulnerabilities, numerous integer-related issues were identified, which could lead to denial-of-service incidents, out-of-bounds reads, or mishandled edge cases when processing large input data. Vervier emphasized the importance of these findings for the security of software supply chains.
“Given Git’s integral role as a supply chain attack vector in today’s IT ecosystem—leveraged even by package managers like Rust/Cargo, Golang, NodeJS, and others—it stands as the most widely employed source code versioning tool for development,” he stated.
ADDITIONAL READING RECOMMENDED Analysis of the CircleCI incident: A post-mortem on a recent breach
Based on an article from ports-wigger.net: https://portswigger.net/daily-swig/git-security-audit-reveals-critical-overflow-bugs
