FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

git -- gitattributes parsing integer overflow

Affected packages
git < 2.39.1


VuXML ID 8fafbef4-b1d9-11ed-b0f4-002590f2a714
Discovery 2023-01-17
Entry 2023-02-21

git team reports:

gitattributes are used to define unique attributes corresponding to paths in your repository. These attributes are defined by .gitattributes file(s) within your repository.

The parser used to read these files has multiple integer overflows, which can occur when parsing either a large number of patterns, a large number of attributes, or attributes with overly-long names.

These overflows may be triggered via a malicious .gitattributes file. However, Git automatically splits lines at 2KB when reading .gitattributes from a file, but not when parsing it from the index. Successfully exploiting this vulnerability depends on the location of the .gitattributes file in question.

This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.


CVE Name CVE-2022-23521