@ytrezq reported a heap-based memory corruption bug in Git that exploited an unsigned to signed integer conversion. An attacker could have exploited this flaw by pushing a malicious repository to GitHub to perform a denial of service or possibly read/write to unexpected memory locations. We addressed the bug by updating Git to use unsigned integers consistently. We also added validation logic to Git that looks for potentially malicious repository contents (ex. excessively long path lengths).
CVE-2016-2315 has been created for this vulnerability and can be found in the National Vulnerability Database when it is published.
@ytrezq identified that Referer
headers could be leaked through specially crafted cross-origin requests that bypass our image proxy. This was considered a low risk vulnerability since our use of the CSP img-src directive dramatically reduces the number of origins that can be used for image resources. In addition, we support the meta referrer policy to further mitigate against cross-origin referrer leaks. We remediated this issue by making more robust checks when rewriting links to our image proxy.