CVE-2023-2030: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. The vulnerability was reported through GitLab's HackerOne bug bounty program by researcher lotsofloops (GitLab Release, Debian Tracker).

The vulnerability stems from how Gitaly, GitLab's Git RPC service, extracts signatures from commits. The extractSignatures function in commit_signatures.go incorrectly assumes that gpgsig is always the last header item and includes everything after gpgsig in the signature data. This implementation flaw allows additional headers to be added after the gpgsig header while still maintaining a valid signature verification status in GitLab. The issue has been assigned a CVSS score of 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) indicating low severity (GitLab Release).

The vulnerability allows an attacker to modify certain aspects of signed commits while maintaining their verified status in GitLab. This includes the ability to change author name/email/date, committer date, and add additional commit parents. Since Git computes commit diffs based on commit parents, this could be exploited to alter the base used for generating diffs (GitLab Issue).

The vulnerability has been patched in GitLab versions 16.5.6, 16.6.4, and 16.7.2. Users are strongly recommended to upgrade to these or newer versions to mitigate the risk. The fix involves correcting how GitLab handles signature verification for commits (GitLab Release).