Debian 10 Buster DLA-3282-1: Vulnerabilities in Git Code Execution
debian lts
January 26, 2023
Two vulnerabilities were discovered in Git, a distributed revision control system
Summary
CVE-2022-23521
gitattributes are a mechanism to allow defining attributes for
paths. These attributes can be defined by adding a
`.gitattributes` file to the repository, which contains a set of
file patterns and the attributes that should be set for paths
matching this pattern. When parsing gitattributes, multiple
integer overflows can occur when there is a huge number of path
patterns, a huge number of attributes for a single pattern, or
when the declared attribute names are huge. These overflows can be
triggered via a crafted `.gitattributes` file that may be part of
the commit history. Git silently splits lines longer than 2KB when
parsing gitattributes from a file, but not when parsing them from
the index. Consequentially, the failure mode depends on whether
the file exists in the working tree, the index or both. This
integer overflow can result in arbitrary heap reads and writes,
which may result in remote code execution.
CVE-2022-41903
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: git
Version: 1:2.20.1-2+deb10u7
CVE ID: CVE-2022-23521 CVE-2022-41903
Debian Bug: 1029114
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!