CVE-2022-23521

NameCVE-2022-23521
DescriptionGit is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a `.gitattributes` file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge. These overflows can be triggered via a crafted `.gitattributes` file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both. This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution. The problem has been patched in the versions published on 2023-01-17, going back to v2.30.7. Users are advised to upgrade. There are no known workarounds for this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3282-1, DSA-5332-1, ELA-788-1, ELA-803-1
Debian Bugs1029114

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git (PTS)jessie, jessie (lts)1:2.1.4-2.1+deb8u14fixed
stretch (security)1:2.11.0-3+deb9u7vulnerable
stretch (lts), stretch1:2.11.0-3+deb9u11fixed
buster (security), buster, buster (lts)1:2.20.1-2+deb10u9fixed
bullseye1:2.30.2-1+deb11u2fixed
bullseye (security)1:2.30.2-1+deb11u3fixed
bookworm (security), bookworm1:2.39.5-0+deb12u1fixed
trixie1:2.45.2-1fixed
sid1:2.45.2-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitsourcejessie1:2.1.4-2.1+deb8u12ELA-803-1
gitsourcestretch1:2.11.0-3+deb9u9ELA-788-1
gitsourcebuster1:2.20.1-2+deb10u7DLA-3282-1
gitsourcebullseye1:2.30.2-1+deb11u1DSA-5332-1
gitsource(unstable)1:2.39.1-0.11029114

Notes

https://www.openwall.com/lists/oss-security/2023/01/17/4
https://github.com/git/git/commit/eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24
https://github.com/git/git/commit/8d0d48cf2157cfb914db1f53b3fe40785b86f3aa
https://github.com/git/git/commit/24557209500e6ed618f04a8795a111a0c491a29c
https://github.com/git/git/commit/34ace8bad02bb14ecc5b631f7e3daaa7a9bba7d9
https://github.com/git/git/commit/447ac906e189535e77dcb1f4bbe3f1bc917d4c12
https://github.com/git/git/commit/e1e12e97ac73ded85f7d000da1063a774b3cc14f
https://github.com/git/git/commit/a60a66e409c265b2944f18bf43581c146812586d
https://github.com/git/git/commit/d74b1fd54fdbc45966d12ea907dece11e072fb2b
https://github.com/git/git/commit/dfa6b32b5e599d97448337ed4fc18dd50c90758f
https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579
https://github.com/git/git/files/10430260/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf

Search for package or bug name: Reporting problems