"Git Patches Two Critical Remote Code Execution Security Flaws"

Git has patched two vulnerabilities of critical severity that could allow attackers to execute arbitrary code by exploiting heap-based buffer overflow flaws. A third Windows-specific vulnerability affecting the Git GUI tool, caused by an untrusted search path flaw, allows unauthenticated threat actors to execute untrusted code low-complexity attacks. The first two vulnerabilities in the commit formatting process and the .gitattributes parser were addressed in new versions dating back to v2.30.7. The third vulnerability is still awaiting a fix, but users can work around it by not using the Git GUI software to clone repositories or by avoiding cloning from untrusted sources. As part of an OSTIF-sponsored security source code audit of Git, security researchers from X41 identified these vulnerabilities. According to the researchers, the most severe vulnerability detected enables an attacker to trigger a heap-based memory corruption during clone or pull operations, potentially resulting in code execution. Another serious vulnerability allows code execution during an archive process, which Git forges commonly conduct. This article continues to discuss the security flaws addressed by Git.

Bleeping Computer reports "Git Patches Two Critical Remote Code Execution Security Flaws"