Git 2.38.1 Released For Two New Security Vulnerabilities

Written by Michael Larabel in Linux Security on 18 October 2022 at 01:15 PM EDT. 3 Comments
LINUX SECURITY --
Git 2.38.1 was just released along with updates to older versions, including the new point releases of v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, and v2.37.4. The big set of Git updates today is due to two more security issues coming to light.

The newest Git vulnerabilities are CVE-2022-39253 and CVE-2022-39260. The first pertains to the "--local" clone optimization leading to possible arbitrary files appearing in $GIT_DIR when cloning from a malicious repository. The other vulnerability is about overly-long command strings passed to the git shell sub-command could ultimately lead to arbitrary heap writes and remote code execution.

These two CVEs are summed up in the Git 2.38.1 release announcement as:

CVE-2022-39253:
When relying on the `--local` clone optimization, Git dereferences symbolic links in the source repository before creating hardlinks (or copies) of the dereferenced link in the destination repository. This can lead to surprising behavior where arbitrary files are present in a repository's `$GIT_DIR` when cloning from a malicious repository.

Git will no longer dereference symbolic links via the `--local` clone mechanism, and will instead refuse to clone repositories that have symbolic links present in the `$GIT_DIR/objects` directory.

Additionally, the value of `protocol.file.allow` is changed to be "user" by default.

CVE-2022-39260:
An overly-long command string given to `git shell` can result in overflow in `split_cmdline()`, leading to arbitrary heap writes and remote code execution when `git shell` is exposed and the directory `$HOME/git-shell-commands` exists.

`git shell` is taught to refuse interactive commands that are longer than 4MiB in size. `split_cmdline()` is hardened to reject inputs larger than 2GiB.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week