CVE-2022-39260: 
Git vulnerability analysis and mitigation

CVE-2022-39260 is a security vulnerability discovered in Git's shell functionality that affects versions up to 2.30.5, 2.31.4, 2.32.3, 2.33.4, 2.34.4, 2.35.4, 2.36.2, 2.37.3, and 2.38.0. The vulnerability was discovered by Kevin Backhouse of the GitHub Security Lab and was disclosed on October 18, 2022 (GitHub Advisory).

The vulnerability exists in the git shell function that splits command arguments into an array. The function improperly uses an int to represent the number of entries (argc) in the argv array, allowing a malicious actor to intentionally overflow the return value. This can lead to arbitrary heap writes when the resulting argv array is passed to execv() (GitHub Advisory).

If exploited, this vulnerability could lead to remote code execution on a victim machine when git shell is exposed and the directory $HOME/git-shell-commands exists. The impact is particularly severe in environments where git shell is used as a restricted login shell (GitHub Advisory).

The vulnerability has been patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, 2.37.4, and 2.38.1. The fix includes refusing interactive commands longer than 4MiB in size and hardening split_cmdline() to reject inputs larger than 2GiB. If upgrading is not immediately possible, users can disable git shell access via remote logins or remove the git-shell-commands directory to disable interactive mode (GitHub Advisory, Red Hat Advisory).