Git security vulnerabilities announced

New versions of Git have been released to address security vulnerabilities CVE-2022-41903 and CVE-2022-23521, affecting versions 2.39 and older, as well as a Windows-specific issue CVE-2022-41953 in Git for Windows. These vulnerabilities involve Git's commit formatting mechanism and .gitattributes parser, which can potentially allow arbitrary code execution through integer overflows. The Windows-specific issue involves the Git GUI's $PATH lookup, which could execute untrusted code when cloning repositories. Users are advised to upgrade to Git 2.39.1 to mitigate risks, with additional steps recommended for those unable to update immediately. The vulnerabilities were discovered through an audit by X41, sponsored by the Open Source Technology Improvement Fund, and the fixes were developed by engineers from GitLab, GitHub, and the git-security mailing list. GitHub has also implemented measures to prevent exploitation of these vulnerabilities on its platform, scheduling updates across its services and crediting various contributors for their discovery and resolution efforts.