CVE-2022-23521 – gitattributes parsing integer overflow in git
https://notcve.org/view.php?id=CVE-2022-23521
Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. • https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76 https://github.com/git/git/security/advisories/GHSA-c738-c5qq-xg89 https://security.gentoo.org/glsa/202312-15 https://access.redhat.com/security/cve/CVE-2022-23521 https://bugzilla.redhat.com/show_bug.cgi?id=2162055 • CWE-190: Integer Overflow or Wraparound •
CVE-2022-41903 – Integer overflow in `git archive`, `git log --format` leading to RCE in git
https://notcve.org/view.php?id=CVE-2022-41903
Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding operators, there is a integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`. This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., `git log --format=...`). • https://git-scm.com/book/en/v2/Customizing-Git-Git-Attributes#_export_subst https://git-scm.com/docs/pretty-formats#Documentation/pretty-formats.txt-emltltNgttruncltruncmtruncem https://github.com/git/git/commit/508386c6c5857b4faa2c3e491f422c98cc69ae76 https://github.com/git/git/security/advisories/GHSA-475x-2q3q-hvwq https://security.gentoo.org/glsa/202312-15 https://access.redhat.com/security/cve/CVE-2022-41903 https://bugzilla.redhat.com/show_bug.cgi?id=2162056 • CWE-190: Integer Overflow or Wraparound •
CVE-2022-41953 – Git clone remote code execution vulnerability in git-for-windows
https://notcve.org/view.php?id=CVE-2022-41953
Git GUI is a convenient graphical tool that comes with Git for Windows. Its target audience is users who are uncomfortable with using Git on the command-line. Git GUI has a function to clone repositories. Immediately after the local clone is available, Git GUI will automatically post-process it, among other things running a spell checker called `aspell.exe` if it was found. Git GUI is implemented as a Tcl/Tk script. • https://github.com/git-for-windows/git/commit/7360767e8dfc1895a932324079f7d45d7791d39f https://github.com/git-for-windows/git/pull/4219 https://github.com/git-for-windows/git/security/advisories/GHSA-v4px-mx59-w99c https://www.tcl.tk/man/tcl8.6/TclCmd/exec.html#M23 • CWE-426: Untrusted Search Path •
CVE-2022-39253 – Git subject to exposure of sensitive information via local clone of symbolic links
https://notcve.org/view.php?id=CVE-2022-39253
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. • http://seclists.org/fulldisclosure/2022/Nov/1 http://www.openwall.com/lists/oss-security/2023/02/14/5 http://www.openwall.com/lists/oss-security/2024/05/14/2 https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85 https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraprojec • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-39260 – Git vulnerable to Remote Code Execution via Heap overflow in `git shell`
https://notcve.org/view.php?id=CVE-2022-39260
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. • http://seclists.org/fulldisclosure/2022/Nov/1 https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6 https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4K • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •