Results of Git Security Audit
Open Source Technology Improvement Fund (OSTIF) is thrilled to announce the results of a security audit and threat model for git. Git is the world’s most widely used version control system, and it underpins not only open source, but the vast majority of public and private software development today. To say that git is infrastructure is an understatement, it reaches nearly every corner of software development and touches nearly every product that has software in one way or another.
For this reason, git is one of OSTIFs top priorities to help with security resources and has built a large coalition of companies to work on multiple facets of the git project. The security audit conducted by Markus Vervier and Eric Sesterhenn from X41 and Joern Schneeweisz from GitLab is only a part of the total efforts coordinated by OSTIF. Github’s CodeQL team (thank you Turbo!) is helping the git developers build a custom ruleset for CodeQL to help give the developers more meaningful results and cull false positives so that the tool is more usable than the previous static analysis tools (that the core git team had stopped using due to multiple difficulties). Additionally, Adolfo Veytia and John Speed Meyers from Chainguard along with Dennis Appelt from GitLab are working on how the Windows version of git is distributed to make recommendations and changes to improve the supply chain security of git. We will be releasing the results of those efforts as each of these projects is completed. This coalition of efforts is unified through our shared interests in git and the critical role that it plays in the open source world.
OSTIF is extremely grateful for the funding and support from the Google Open Source Security Team (GOSST) and the help of the OpenSSF to help make this critical project more secure.
For this portion of the research a total of 35 issues were discovered, including 2 critical severity findings and a high severity finding. Additionally, because of this research, a number of potentially catastrophic security bugs were discovered and resolved internally by the git security team. (A special thank you to Patrick Steinhardt for all of their work on the formatting issues related to CVE-2022-41903).
The serious bug fixes are in the latest release of Git (released today).
The most notable issues were:
CRITICAL – CVE-2022-41903 – Out-of-Bounds Memory Write in Log Formatting (this had multiple collateral issues that were fixed by the git security team that were critical in nature)
CRITICAL – CVE-2022-23251 – Truncated Allocation Leading to Out of Bounds Write Via Large Number of Attributes
HIGH – Out-of-Bounds Read Via Padding Placeholders
The git team demonstrated a strong commitment to improving security posture by actively participating in the audit process and collaborating with the audit team during the initial meetings and security review. We’d like to thank everyone at git who helped us with this audit, with security tooling questions, and with understanding the git build process.
The results can be viewed in full detail at the following links:
Git Security Assessment Full Report – https://ostif.org/wp-content/uploads/2023/01/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf
More information from X41’s blog post here: https://www.x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/
Information on the latest git patch: https://www.openwall.com/lists/oss-security/2023/01/17/4
OSTIF is planning many security efforts in 2023, and funding audits like these can be a useful tool for securing projects in open source.
Thank you to everyone from X41 and GitLab that did excellent work on this audit!
For more information on this type of security work being done, visit the OSTIF website. We also have all of our published work on our Github. Proactive security audits go a long way in detecting and fixing vulnerabilities before attackers can exploit them. Everyone around the world depends on open source software (OSS), and security audits play an important role in securing the open source ecosystem.