The Git project has recently released new versions to address security vulnerabilities, specifically, CVE-2022-41903 and CVE-2022-23521, which affect versions 2.39 and older. Git for Windows was also patched to address an additional, Windows-specific issue known as CVE-2022-41953.

The first two vulnerabilities affect Git’s commit formatting mechanism and .gitattributes parser, respectively. The former can be used to perform arbitrary heap writes, while the latter can be used for arbitrary reads. Both may result in arbitrary code execution, so it is important that users upgrade immediately. These vulnerabilities were found as part of an audit of the Git codebase conducted by X41 and sponsored by the Open Source Technology Improvement Fund (OSTIF). Fixes were authored by engineers from the GitLab Security Research Team, as well as GitHub Engineers, and members of the git-security mailing list.

The Windows-specific issue involves a $PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI.

To protect against these vulnerabilities, it is recommended to upgrade to the latest version of Git, version 2.39.1. If an immediate update is not possible, users can reduce their risk by avoiding invoking the --format mechanism directly with the known operators, and avoid running git archive in untrusted repositories. Additionally, if git archive is exposed via git daemon, consider disabling it when working with untrusted repositories. For Windows users, it is recommended to avoid using Git GUI when cloning untrusted repositories.

GitHub has also taken proactive steps to protect its users against these attacks. They have scanned all repositories on GitHub.com to confirm that no evidence exists that GitHub was used as a vector to exploit any of these vulnerabilities, and have implemented mitigation steps to prevent GitHub.com from being used as an attack vector in these CVEs.