A few days ago two security vulnerabilities in Git were made public. In response, we released GitLab 8.5.7 the same day.
At the time, there was still some confusion regarding which version of Git contained all of the security fixes. Yesterday, Git version 2.7.4 was released with the fixes for all known vulnerabilities.
Due to the potential impact of this vulnerability, we've released new omnibus-gitlab packages for the past four months' releases (8.2, 8.3, 8.4, and 8.5).
In this blog post we will go into more detail about the vulnerabilities and their impact on GitLab.
The problem
An attacker can create a malicious Git repository that causes a heap
overflow in git
commands
that run on that repository (e.g.,
git clone https://example.com/evil-repo.git
). At best this causes your
git
command to crash; at worst the malicious Git repository
effectively becomes a program that runs on your computer.
This vulnerability got fixed in Git version 2.7.4.
General impact
If you are using a vulnerable version of the Git client and you run the "right"
git
command on a malicious repository, an attacker may gain control over your
computer. It also means that if an attacker can upload a malicious repository to
a GitLab server, and if that GitLab server has a vulnerable version of Git
installed, then the attacker could execute arbitrary code on the GitLab server.
Impact on GitLab
During various operations GitLab will run git
commands on the repositories it
hosts. If your GitLab server uses a vulnerable version of Git and if one of your
users pushed or imported a malicious repository onto your server then attacker
code embedded in the malicious Git repository may be executed on the GitLab
server as the application user.
What we are doing about it
We have released the new omnibus-gitlab packages for versions going back to GitLab version 8.2.
The Omnibus packages for GitLab 8.2.4, 8.3.5, 8.4.6 and 8.5.8 contain Git version 2.7.4.
We understand it's not always possible for all of our users to upgrade to the latest monthly releases. However, we urge you to upgrade to the latest available version as it contains the latest security fixes for all bundled software.
What you should do about it
You should make sure that you are using the latest version of Git on each computer you use Git. Because there are many different ways to install Git it is difficult to give specific instructions how to this.
If you are an administrator for a GitLab server and you installed GitLab using our Omnibus packages then you should make sure you are using GitLab 8.5.8 or newer.
If you installed GitLab from source or through some other means it is not enough to update to the latest version of GitLab; you should make sure you are using the latest version of Git for your platform.
If you installed Git from source according to the GitLab installation guide you can check its version by running:
/usr/local/bin/git --version
You should also verify that GitLab is seeing the correct version of Git by visiting your Administration dashboard and looking under Components.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback