gix-pack Denial-of-Service Vulnerabilities

The gix-pack library, a Rust implementation of Git packfile handling, contains multiple denial-of-service (DoS) vulnerabilities. Specifically, unchecked array indexing in delta processing can lead to panics, and uncapped memory allocation based on attacker-controlled size headers allows for out-of-memory (OOM) attacks. These vulnerabilities are triggered when processing malicious pack data during clone or fetch operations. The affected versions are gix-pack <= 0.68.0. This poses a risk to any application built on gitoxide that clones or fetches from an untrusted remote, including the gix CLI, applications using the gix crate, and CI/CD systems cloning repositories using gitoxide. A crafted pack entry claiming a multi-terabyte size triggers an immediate process kill, which constitutes a single-packet process kill with no recovery.

Attack Chain

1. An attacker crafts a malicious Git packfile containing either truncated delta data or an entry with an extremely large decompressed_size.
2. A user or automated system initiates a git clone or git fetch operation from a repository controlled by the attacker.
3. The gix-pack library attempts to parse the crafted packfile.
4. If the packfile contains truncated delta data, the apply() function in gix-pack/src/data/delta.rs attempts to access array indices beyond the bounds of the data buffer, leading to a panic. Alternatively, the parse_header_info() function in gix-pack/src/data/entry/decode.rs can also panic due to unchecked indexing.
5. If the packfile contains an entry with an extremely large decompressed_size, the library attempts to allocate a large buffer using Vec::with_capacity(size as usize) in bytes_to_entries.rs or Vec::resize() in resolve.rs.
6. The allocation of the excessively large buffer exhausts available memory, triggering an out-of-memory (OOM) condition.
7. The operating system terminates the process to prevent further memory exhaustion.
8. The application using gix-pack crashes, resulting in a denial-of-service.

Impact

Successful exploitation of these vulnerabilities leads to a denial-of-service (DoS) condition. For the panic vulnerability, a small amount of crafted data causes an immediate process abort. For the OOM vulnerability, a single crafted pack entry header causes the process to attempt a multi-terabyte allocation, leading to process termination by the operating system. This can affect various applications and systems, including the gix CLI, applications using the gix crate, and CI/CD systems, potentially disrupting software development workflows. The OOM vector represents a severe risk, as it is a single-packet process kill with no recovery.

Recommendation

• Upgrade to a patched version of gix-pack when available.
• Implement input validation on packfile data before processing to mitigate the OOM vulnerability. Specifically, implement a configurable maximum object size and validate claimed sizes against it before allocation, as suggested in the advisory.
• Monitor for process crashes or OOM events related to applications using gix-pack. Deploy the Sigma rule Detect Gix-Pack Uncapped Memory Allocation to identify potential OOM attacks.
• Consider blocking or filtering network traffic from untrusted Git repositories to prevent malicious packfiles from reaching vulnerable systems.