CVE-2022-23521: 
vulnerability analysis and mitigation

CVE-2022-23521 is a critical security vulnerability discovered in Git that affects versions up to and including v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2, and v2.39.0. The vulnerability was disclosed on January 17, 2023, and affects Git's gitattributes parsing mechanism (Git Advisory).

The vulnerability occurs in Git's gitattributes parsing mechanism, where multiple integer overflows can occur under specific conditions: when there is a huge number of path patterns, when there is a huge number of attributes for a single pattern, or when the declared attribute names are huge. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index, leading to inconsistent behavior depending on whether the file exists in the working tree, the index, or both (Git Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

This integer overflow vulnerability can result in arbitrary heap reads and writes, which may lead to remote code execution. The vulnerability can be triggered via a crafted .gitattributes file that may be part of the commit history (Git Advisory).

The vulnerability has been patched in versions published on January 17, 2023, starting from v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3, and v2.39.1. Users are strongly advised to upgrade to the latest patched version as there are no known workarounds (Git Advisory).

The vulnerability was discovered by Markus Vervier and Eric Sesterhenn of X41 D-Sec, with the work being sponsored by OSTIF. The fixes were developed by Patrick Steinhardt of GitLab with assistance from others on the Git security mailing list (Git Advisory).