Uncovered vulnerabilities include several high, medium, and low-security issues

Git security audit reveals critical overflow bugs

A security audit of the source code for Git has revealed several vulnerabilities, including two critical overflow bugs.

The audit, sponsored by the Open Source Technology Improvement Fund (OSTIF) and performed by X41 D-Sec and GitLab, also included several high, medium, and low-severity issues.

Given the popularity of Git and its integration into popular packaging systems, the vulnerabilities could have an immense impact on the security of the software supply chain.

Evil clone operation

The most severe flaw the researchers discovered was a memory corruption bug that could be triggered when Git parses the .gitattributes file of a repository. Developers use .gitattributes to customize how Git handles different files and file paths in repositories, such as line endings, file encodings, and more.

The researchers discovered that if .gitattributes contained a very long attribute line or many attribute lines, it would cause a counter overflow in the function that parses the file and lead to arbitrary code execution.

LIKE THE DAILY SWIG? Tell us what you think for the chance to win Burp Suite swag

An attacker could exploit the bug by committing a malicious .gitattributes file to a repository. The bug would be triggered when the victim called git clone or git pull on the repository.

Since the bug requires no special arguments or commands on the victim’s computer, it could become an important part of dangerous supply chain attacks.

“If [attackers] could stage it on a popular library, they could have an impact on the git clients using it, which might also involve anyone using common package systems to install software,” Markus Vervier, managing director at X41 D-Sec, told The Daily Swig.

The bug could also be used to exploit the Git servers such as GitHub or GitLab, Vervier said – though he added that both GitLab and GitHub itself have already been patched.

Pretty but malicious

The second critical bug the researchers discovered would allow code execution during archive operations commonly performed by Git forges such as GitHub and GitLab.

The git log and git archive commands can display commits using pretty formatting. When processing the padding operators, an integer overflow can occur in the pretty format parser if a special format specifier pattern is used.

The overflow bug is triggered directly if a user runs the git log command with the --format specifier, or indirectly if the git archive command is called via the export-subst mechanism.

Read more of the latest news about DevSecOps

An attacker could trigger the bug through an argument injection to the git log command, confirmed GitLab security engineer Joern Schneeweisz in comments to The Daily Swig. But the more interesting attack vector was the git archive operation, he said.

The attacker could include an export-subst statement in the .gitattributes file within a repository. It would trigger the bug by a git archive command without the need for any injected arguments, Schneeweisz said.

“The payload would be self-contained within the repository and triggered by calling git archive,” Schneeweisz said. “Running git archive on arbitrary repositories is a very common thing for Git forges like GitLab or GitHub, so this issue is mostly an RCE [remote code execution] threat to those.”

The supply chain threat

In addition to the critical vulnerabilities, the researchers found many integer-related issues that could lead to denial-of-service, out-of-bound reads, or simply badly handled corner cases on large input. Vervier said that the findings were very relevant to the security of software supply chains.

“Git is basically the ultimate supply chain attack vector in the current IT landscape since it is heavily used even for package managers such as Rust/Cargo, Golang, NodeJS, and others. It is also the most widely used source code versioning tool for development,” he said.

RECOMMENDED READING Squaring the CircleCI: DevOps platform publishes post-mortem on recent breach