Recent security evaluations have unveiled multiple vulnerabilities across high, medium, and low-security spectrums.
A detailed security review of Git’s source code has brought to light several vulnerabilities, including two major overflow bugs.
The security audit, facilitated by the Open Source Technology Improvement Fund (OSTIF), was conducted by X41 D-Sec in collaboration with GitLab. This review identified several vulnerabilities categorized by severity.
Given Git’s wide use and its role in numerous popular packaging systems, these vulnerabilities pose a significant threat to the overall security of the software supply chain.
Concerning cloning activities
The most critical flaw discovered was a memory corruption issue that occurs when Git processes the configuration file of a repository. This file allows developers to customize Git’s behavior regarding file handling, such as managing file paths and encodings.
Researchers found that excessively lengthy attribute lines or numerous attributes in the configuration could lead to a counter overflow in the parsing function, potentially resulting in arbitrary code execution.
ENGAGED WITH THE DAILY SWIG? Share your feedback for a chance to win Burp Suite merchandise
An attacker could exploit this vulnerability by inserting a malicious configuration file into a repository, triggering the flaw when the victim performs commands on the repository.
This bug doesn’t require any unusual arguments or commands from the victim, making it a potent tool in the arsenal of supply chain attackers.
“If attackers can implant it in a widely used library, it could adversely affect any Git clients employing that library, potentially impacting users making use of common package systems,” remarked Markus Vervier, managing director at X41 D-Sec, to The Daily Swig.
This vulnerability could also affect major Git services such as GitHub or GitLab, though Vervier noted both platforms have already implemented patches.
Aesthetically pleasing yet dangerous
The second critical issue identified enabled code execution during standard archive operations executed by Git platforms like GitHub and GitLab.
Commands such as git log and git show can render commits with enhanced formatting. However, certain formatting patterns could lead to an integer overflow while processing these formatting operators.
This overflow can occur directly when a user issues a git log command with a specific format specifier, or indirectly if the git show command is invoked through the same mechanism.
Explore further updates in DevSecOps
<psecurity professionals="" have="" confirmed="" that="" attackers="" could="" exploit="" this="" issue="" by="" injecting="" arguments="" into="" the="" git log command. However, a more unique vector involves operations through specific repository file configurations.
By embedding a crafted statement within the configuration file in a repository, the bug can be triggered without the necessity for additional injected arguments. This flaw can be activated simply by executing the git log command.
According to Schneeweisz, “The payload would remain self-contained within the repository, activated by a command like git log. This type of execution is quite common across Git forges such as GitLab or GitHub, highlighting the risk of remote code execution.”
A looming supply chain menace
Alongside the critical vulnerabilities, many integer-related issues were also found, which pose risks of denial-of-service attacks, out-of-bound reads, and mishandling of corner cases when handling large inputs. Vervier stressed that these findings are pivotal for concerning software supply chain security.
“Git effectively serves as the ultimate vector for supply chain attacks given its extensive usage, particularly in package managers for languages including Rust/Cargo, Golang, and NodeJS among others. Additionally, it remains the foremost tool for version control in software development,” he articulated.
FOCUSED ON READING? Investigate the post-mortem on the recent CircleCI security incident
Based on an article from portswiigger.net: https://portswigger.net/daily-swig/git-security-audit-reveals-critical-overflow-bugs
