Today, the Git project released new versions to address a pair of security vulnerabilities, CVE-2022-41903, and CVE-2022-23521, that affect versions 2.39 and older.

Git for Windows was also patched to address an additional, Windows-specific issue known as CVE-2022-41953.

The first two vulnerabilities affect Git’s commit formatting mechanism and .gitattributes parser, respectively. The former can be used to perform arbitrary heap writes, while the latter can be used for arbitrary reads, too. Both may result in arbitrary code execution, so users should upgrade immediately. Both were also found as part of an audit of the Git codebase conducted by X41. This audit was sponsored by the Open Source Technology Improvement Fund (OSTIF). Fixes were authored by engineers from the GitLab Security Research Team, as well as GitHub Engineers, and members of the git-security mailing list.

A complete copy of the report (along with a variety of issues that weren’t deemed to have security implications) is available here.

The Windows-specific issue involves a $PATH lookup including the current working directory, which can be leveraged to run arbitrary code when cloning repositories with Git GUI.

CVE-2022-41903

The first set of updates concern Git’s commit-formatting mechanism, used to display arbitrary information about commits, as in git log --format. When processing one of the padding operators (for example, %<(, %>(, etc.) an integer overflow can occur when a large offset is given).

This vulnerability can be triggered directly via git log --format. It may also be triggered indirectly via Git’s export-subst mechanism, which applies the formatting modifiers to selected files when using git archive.

This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.

[source]

CVE-2022-23521

gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by .gitattributes file(s) within your repository.

Th