CVE-2022-39260

NameCVE-2022-39260
DescriptionGit is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3239-1, DSA-5332-1, ELA-788-1, ELA-803-1
Debian Bugs1022046

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
git (PTS)jessie, jessie (lts)1:2.1.4-2.1+deb8u14fixed
stretch (security)1:2.11.0-3+deb9u7vulnerable
stretch (lts), stretch1:2.11.0-3+deb9u11fixed
buster (security), buster, buster (lts)1:2.20.1-2+deb10u9fixed
bullseye1:2.30.2-1+deb11u2fixed
bullseye (security)1:2.30.2-1+deb11u3fixed
bookworm (security), bookworm1:2.39.5-0+deb12u1fixed
trixie1:2.45.2-1fixed
sid1:2.45.2-1.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitsourcejessie1:2.1.4-2.1+deb8u12ELA-803-1
gitsourcestretch1:2.11.0-3+deb9u9ELA-788-1
gitsourcebuster1:2.20.1-2+deb10u5DLA-3239-1
gitsourcebullseye1:2.30.2-1+deb11u1DSA-5332-1
gitsource(unstable)1:2.38.1-11022046

Notes

https://www.openwall.com/lists/oss-security/2022/10/18/5
https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u
https://github.com/git/git/commit/32696a4cbe90929ae79ea442f5102c513ce3dfaa (v2.30.6)
https://github.com/git/git/commit/71ad7fe1bcec2a115bd0ab187240348358aa7f21 (v2.30.6)
https://github.com/git/git/commit/0ca6ead81edd4fb1984b69aae87c1189e3025530 (v2.30.6)

Search for package or bug name: Reporting problems