GitLab has published patches to two critical vulnerabilities in the popular Git version control software.
As the organisation said in its advisory, the fixes for CVE-2022-41903 and CVE-2022-23521 have already been implemented on its GitLab.com and GitLab Dedicated services.
Both the bugs are integer overflows that lead to possible remote code execution.
CVE-2022-41903 is a bug in its git log and git archive functions.
The advisory stated: “When processing the padding operators, there is an integer overflow in `pretty.c::format_and_pad_commit()` where a `size_t` is stored improperly as an `int`, and then added as an offset to a `memcpy()`.”
The overflow can be triggered directly “by a user running a command which invokes the commit formatting machinery”, or indirectly “through git archive via the export-subst mechanism”. Either approach results in arbitrary writes to heap memory.
If a user is unable to upgrade, the advisory said they should “disable ‘git archive’ in untrusted repositories”.
CVE-2022-23521 is a parsing integer overflow in the gitattributes function.
“When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge”, the advisory stated.
There is no workaround for the vulnerability.
GitLab has pushed the two fixes in versions 15.7.5, 15.6.6, and 15.5.9 of GitLab Community Edition (CE) and Enterprise Edition (EE).